Advice Request File-less attacks through browser

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
If you have a decent anti-executable, you don't have to worry so much about malicious files running on your system.
So next main concern would be attacks carried out solely through memory.
If you also have an ad-blocker, what other common vectors still need to be covered, to protect from file-less attacks?
 
  • Like
Reactions: DardiM

FleischmannTV

Level 7
Verified
Honorary Member
Well-known
Jun 12, 2014
314
If you also have an ad-blocker, what other common vectors still need to be covered, to protect from file-less attacks?

Regarding browses, just use Chrome/Opera/Edge (and Firefox, once sandboxing has been implemented) and keep them updated. They are designed to contain file-less attacks. Though as a home user, with a modern and updated browser, you will not see file-less attacks, regardless of what vendors tell you.

If you really feel the need to mitigate legacy applications, my first choice would be HitmanPro.Alert 3. Alert stops things at the earliest possible stage and has no competition right now, at least when serious alternatives are concerned. If that's not an option, then Sandboxie OR AppGuard. Neither stops file-less attacks from happening, but they contain them (just like the browsers' built-in sandboxes would, so they have no benefit regarding modern browsers).

In the meantime, I am still waiting for the first exploit to happen on my computer at all. It will not happen, of course, but I have hope.
 
H

hjlbx

If you have a decent anti-executable, you don't have to worry so much about malicious files running on your system.
So next main concern would be attacks carried out solely through memory.
If you also have an ad-blocker, what other common vectors still need to be covered, to protect from file-less attacks?

An anti-executable by itself will not prevent fileless infection. The browser and its child processes have to be run with limited privileges\file system and registry access rights.

The only security soft that I know of that generically (signature-less) prevents fileless infections like Poweliks, Kovter, Phasebot, etc - is AppGuard.

Fileless infections use an exploit - so if you have updated browser it should be fine. That's not to say that current browsers cannot be exploited - because they most certainly can.
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
An anti-executable by itself will not prevent fileless infection. The browser and its child processes have to be run with limited privileges\file system and registry access rights.

The only security soft that I know of that generically (signature-less) prevents fileless infections like Poweliks, Kovter, Phasebot, etc - is AppGuard.

Fileless infections use an exploit - so if you have updated browser it should be fine. That's not to say that current browsers cannot be exploited - because they most certainly can.
okay, but how do you get hit by this kind of exploit? I mean, if you block ads, so how does it get triggered, in the real world?
 
  • Like
Reactions: frogboy and DardiM
H

hjlbx

okay, but how do you get hit by this kind of exploit? I mean, if you block ads, so how does it get triggered, in the real world?

Ad and URL blocker can't keep you away from every single exploit page.

There are exploit webpages, re-directs to exploit webpages (exploit kits), etc. There are also Poweliks executables. So any number of means.

Anyhow, your risk of ending up:

1. on an exploit webpage

2. with an exploitable browser

is quite low.

So low that you need not fret about it.

I shouldn't worry about it...

If you are paranoid user, and these sorts of things really bother you, then you should be using AppGuard or Excubits products.
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Ad and URL blocker can't keep you away from every single exploit page.

There are exploit webpages, re-directs to exploit webpages (exploit kits), etc. There are also Poweliks executables. So any number of means.

Anyhow, your risk of ending up:

1. on an exploit webpage

2. with an exploitable browser

is quite low.

So low that you need not fret about it.

I shouldn't worry about it...

If you are paranoid user, and these sorts of things really bother you, then you should be using AppGuard or Excubits products.
if you aren't worried, then neither am I!
 

FleischmannTV

Level 7
Verified
Honorary Member
Well-known
Jun 12, 2014
314
Fileless infections use an exploit

The exploit needs to be very advanced and zero-day to do any damage on a modern browser. For example, Chrome sub-processes (that are the ones which have the chance of being exploited) have no file-system and registry access (not even read) and they cannot access the memory of other processes because of their integrity level / user-sid / alternate desktop etc.
 
  • Like
Reactions: frogboy and DardiM

bunchuu

Level 8
Verified
Well-known
Mar 17, 2015
370
An anti-executable by itself will not prevent fileless infection. The browser and its child processes have to be run with limited privileges\file system and registry access rights.

The only security soft that I know of that generically (signature-less) prevents fileless infections like Poweliks, Kovter, Phasebot, etc - is AppGuard.

Fileless infections use an exploit - so if you have updated browser it should be fine. That's not to say that current browsers cannot be exploited - because they most certainly can.

How about EMET, HMPA or MBAE? Is it effective against fileless infection?
 
H

hjlbx

The exploit needs to be very advanced and zero-day to do any damage on a modern browser. For example, Chrome sub-processes (that are the ones which have the chance of being exploited) have no file-system and registry access (not even read) and they cannot access the memory of other processes because of their integrity level / user-sid / alternate desktop etc.

Indeed, very remote.
How about EMET, HMPA or MBAE? Is it effective against fileless infection?

Anti-exploits stop the escalation of privileges that lead to fileless infections. So yes...

However, at @FleischmannTV points out, you only need to worry about an exploit in an older browser. Current browsers can be exploited - but it would need to be a zero-day.

Quite honestly, I think anti-exploit softs are just-in-case security softs.
 

DJ Panda

Level 30
Verified
Top Poster
Well-known
Aug 30, 2015
1,928
Honestly an anti exploit software is only needed if you have outdated software the chances of getting attacked by a zero day is pretty slim. An adblocker can be helpful on porn\crack sites but other than those its pretty much hurting the other innocent sites.
 
  • Like
Reactions: Sunshine-boy

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
I think it should accompany through the use of HIPS, since the concept of fileless attack must invoke processes' any rules which are not meet on criteria should give approval first.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top