- Dec 29, 2012
- 235
Since the four Community Technical Previews of HitmanPro.Alert 3 last year, our customers and the security community showed strong interest. Enhanced with the valuable feedback that we received, we are excited to announce the general availability (GA) of HitmanPro.Alert 3 – build 180.
HitmanPro.Alert version 3 introduces Exploit Mitigations, of which its hardware-assisted Control-Flow Integrity (CFI) technology is perhaps its most striking feature. CFI is a technique to prevent flow of control not intended by the original application, without requiring the source code or debug symbols of the protected application. With CFI, HitmanPro.Alert 3 effectively stops attackers that hijack control-flow to combine short pieces of benign code, already present in a system, for a malicious purpose; a so-called return-oriented programming (ROP) attack. This capability is achieved by programming and leveraging a hardware feature in modern Intel® processors to track code execution and assist in the detection of attacks in real-time – an industry-first method not found in any other security product.
Besides a performance advantage, employing hardware traced records has a security benefit over software stack-based approaches. Stack-based solutions, like Microsoft EMET, rely on stack data, which is (especially in case of a ROP attack) in control of the attacker, who in turn can affect or control the defender as well.
Cybercriminals and hackers are becoming increasingly more proficient in finding and attacking previously unknown vulnerabilities to bypass antivirus software as well as memory protections (DEP+ASLR) to silently infiltrate computers. Well known cases that led to the discovery of zero-day attacks, like Operation SnowMan, GreedyWonk and Clandestine Fox (uncovered by security firm FireEye) as well as the recent Adobe Flash Player exploits, show that attackers are adept in creating malware (shellcode) by borrowing instructions from legitimate applications running on the victim computer – a ROP attack. Antivirus software is not designed to block this as a ROP attack does not require malicious files or processes. HitmanPro.Alert version 3 is built to stop existing and future attacks whether they are conducted by exploit kits or (foreign) nation-state hackers, without requiring prior knowledge of attacks or abused vulnerabilities.
Besides Exploit Mitigations, HitmanPro.Alert 3 also offers Man-in-the-Browser Intruder Detection (Safe Browsing), Cryptolocker Protection (CryptoGuard), System Vaccination, Webcam Notifier, Keystroke Encryption, BadUSB Protection and our Forensics-based Anti-Malware.
Screenshot
Review
We asked Malware Research Group (MRG Effitas) to test and write an independent review on HitmanPro.Alert 3. In addition we sponsored their Real World Exploit Prevention Test comparison wherein they threw a very diverse set of in-the-wild exploits (12 different exploit kits) and attacks on 16 different vulnerabilities, against 13 different products.
Second part of the comparison revolved around an artificial zero-day exploit attack. The purpose of this attack is to provide a more realistic picture of the capabilities of security software against real zero-day attacks. Just like real-world exploit attacks, this attack has not yet been discovered by security researchers and is unknown to blacklist-based technologies that rely on prior discovery, like URL filtering and virus signatures (which is a good indication why all security solutions, other than Microsoft EMET and Malwarebytes Anti-Exploit, failed te detect this attack).
We also provided MRG with an advanced ROP chain and shellcode for their artificial zero-day attack, which is able to bypass every popular anti-exploit solution.
The techniques that we used to defeat these solutions are not new and available in the public domain for a long time. The purpose of our attack is to show readers that any motivated attacker is able to (re-)weaponize exploits to bypass security solutions. In effect it also shows the power of our unique hardware-assisted exploit protection technology. We provided all the details surrounding our attack as well. They are made available by MRG Effitas for verification by interested researchers.
You can download the report (which includes the review, comparison and the artificial zero-day attack) from this link: https://www.mrg-effitas.com/mrg-effitas-real-world-exploit-prevention-test-march-2015/
Release notes build 180 GA (changelog compared to build 155 RC)
Homepage: http://www.surfright.nl/en/alert
Download link: http://dl.surfright.nl/hmpalert3.exe
Getting Started Manual: http://dl.surfright.nl/HitmanPro Alert Getting Started.pdf
HitmanPro.Alert version 3 introduces Exploit Mitigations, of which its hardware-assisted Control-Flow Integrity (CFI) technology is perhaps its most striking feature. CFI is a technique to prevent flow of control not intended by the original application, without requiring the source code or debug symbols of the protected application. With CFI, HitmanPro.Alert 3 effectively stops attackers that hijack control-flow to combine short pieces of benign code, already present in a system, for a malicious purpose; a so-called return-oriented programming (ROP) attack. This capability is achieved by programming and leveraging a hardware feature in modern Intel® processors to track code execution and assist in the detection of attacks in real-time – an industry-first method not found in any other security product.
Besides a performance advantage, employing hardware traced records has a security benefit over software stack-based approaches. Stack-based solutions, like Microsoft EMET, rely on stack data, which is (especially in case of a ROP attack) in control of the attacker, who in turn can affect or control the defender as well.
Cybercriminals and hackers are becoming increasingly more proficient in finding and attacking previously unknown vulnerabilities to bypass antivirus software as well as memory protections (DEP+ASLR) to silently infiltrate computers. Well known cases that led to the discovery of zero-day attacks, like Operation SnowMan, GreedyWonk and Clandestine Fox (uncovered by security firm FireEye) as well as the recent Adobe Flash Player exploits, show that attackers are adept in creating malware (shellcode) by borrowing instructions from legitimate applications running on the victim computer – a ROP attack. Antivirus software is not designed to block this as a ROP attack does not require malicious files or processes. HitmanPro.Alert version 3 is built to stop existing and future attacks whether they are conducted by exploit kits or (foreign) nation-state hackers, without requiring prior knowledge of attacks or abused vulnerabilities.
Besides Exploit Mitigations, HitmanPro.Alert 3 also offers Man-in-the-Browser Intruder Detection (Safe Browsing), Cryptolocker Protection (CryptoGuard), System Vaccination, Webcam Notifier, Keystroke Encryption, BadUSB Protection and our Forensics-based Anti-Malware.
Screenshot
Review
We asked Malware Research Group (MRG Effitas) to test and write an independent review on HitmanPro.Alert 3. In addition we sponsored their Real World Exploit Prevention Test comparison wherein they threw a very diverse set of in-the-wild exploits (12 different exploit kits) and attacks on 16 different vulnerabilities, against 13 different products.
Second part of the comparison revolved around an artificial zero-day exploit attack. The purpose of this attack is to provide a more realistic picture of the capabilities of security software against real zero-day attacks. Just like real-world exploit attacks, this attack has not yet been discovered by security researchers and is unknown to blacklist-based technologies that rely on prior discovery, like URL filtering and virus signatures (which is a good indication why all security solutions, other than Microsoft EMET and Malwarebytes Anti-Exploit, failed te detect this attack).
We also provided MRG with an advanced ROP chain and shellcode for their artificial zero-day attack, which is able to bypass every popular anti-exploit solution.
The techniques that we used to defeat these solutions are not new and available in the public domain for a long time. The purpose of our attack is to show readers that any motivated attacker is able to (re-)weaponize exploits to bypass security solutions. In effect it also shows the power of our unique hardware-assisted exploit protection technology. We provided all the details surrounding our attack as well. They are made available by MRG Effitas for verification by interested researchers.
You can download the report (which includes the review, comparison and the artificial zero-day attack) from this link: https://www.mrg-effitas.com/mrg-effitas-real-world-exploit-prevention-test-march-2015/
Release notes build 180 GA (changelog compared to build 155 RC)
- Improved Lockdown mitigation to enforce safe execution of VBScript. This mitigates the exploitation technique known as "VBScript God Mode".
- Improved Load Library mitigation to detect shellcode.
- Improved Load Library mitigation to detect reflective loaded libraries.
- Improved branch-based hardware-assisted ROP mitigation (part of Control-Flow Integrity).
- Improved software-based ROP mitigation (part of Control-Flow Integrity).
- Improved IAT Filtering.
- Improved Dynamic Heap Spray mitigation.
- Improved CryptoGuard mitigation, specifically protection of connected network drives.
- Improved BadUSB mitigation.
- Improved Enforce DEP mitigation.
- Improved Safe Browsing intruder alert, which now also shows the correct technical details.
- Improved Software Radar.
- Improved compatibility with EMET 5.1.
- Improved compatibility with Sandboxie 4.16.
- Fixed upgrade from HitmanPro.Alert version 2 to version 3. In previous builds, the upgrade could affect the functionality of the existing connected keyboard.
- Improved HeapSpray mitigation.
- Improved network driver compatibility.
- HitmanPro.Alert 3 allows experienced computer users to apply exploit mitigations to applications of their own choosing. But the following software types should not be protected by HitmanPro.Alert:
- Anti-malware and intrusion prevention or detection software
- Debuggers
- Software that handles digital rights management (DRM) technologies (i.e. videogames)
- Software that use anti-debugging, obfuscation, or hooking technologies
- HitmanPro.Alert 3 is not compatible with the Microsoft Enhanced Mitigation Experience Toolkit (EMET) version 5.2. As workaround you can disable EAF and EAF+ in EMET 5.2. HitmanPro.Alert is fully compatible with EMET 4.1 and EMET 5.1.
Homepage: http://www.surfright.nl/en/alert
Download link: http://dl.surfright.nl/hmpalert3.exe
Getting Started Manual: http://dl.surfright.nl/HitmanPro Alert Getting Started.pdf
