Jump to content

[SOLVED] A bit of a noob question


Weyoun

Recommended Posts

Hi everyone :)

 

Please forgive my noob question, so I don't completely understand how this works. My questions may have been asked before so I apologize if they have. From what I do understand, MBAE will protect against websites attempting to drop a payload onto the computer through a "hole" or vulnerability in the browser or application. Also from what I understand, a "drive by" download is basically when something is downloaded onto the computer without the user's knowledge or consent, please correct me if I am wrong. Will MBAE protect against those such "drive by" downloads if I accidentally visit a website that attempts to download something like that? Again I do apologize for being a bit of a noob here :P

 

Sincerely,

*Weyoun*

Link to post
Share on other sites

  • Staff

No need to apologize for asking questions. Other young and not-so-young users will surely benefit from your questions.

 

MBAE will protect against drive-by downloads which use application vulnerabilities to exploit a hole in the system and remotely execute code in your machine without requiring any intervention on your part. Basically in these scenarios you get infected simply by visiting a page. A real example of this was a few months ago when the NBC website was compromised for a few hours and any visitors to their website were exposed to the exploit or drive-by download.

 

In addition to exploit driven drive-by downloads MBAE also protects against other types of vulnerability exploits, such as malicious PDF, DOC, XLS, PPT and other types of maliciously rigged files which exploit vulnerabilities in their corresponding program (Acrobat Reader, MS Word, Excel, etc.). Hackers normally use these tactics and spam out these types of files attached to emails. The moment you open the rigged PDF file with Acrobat Reader it also silently runs some type of malware in your machine.

 

I hope this clarifies a bit how MBAE protects against exploits.

Link to post
Share on other sites

Hi pbust, thank you for the response :)

 

It does help clarify it, thank you :) That was the biggest thing I was wondering, was if it would stop those types of infections that happened to NBC. So, just to make sure I did read you correctly, it will protect against drive by downloads that infect the machine just from visiting the site without the user downloading anything knowingly? You said it would protect against drive by downloads that use exploits, does that mean there are other types of drive by downloads that don't use exploits? Again, thanks for all the help :)

Link to post
Share on other sites

  • Staff

Some people may refer to drive-by downloads as something completely different. From my perspective a drive-by download makes use of an exploit in order to silently drop and run the malware, i.e. it is not dependent upon user interaction like prompting to run a file. If there is a prompt asking you whether you want to save or run the file, in my opinion it is not a drive-by download but rather a social engineering attack.

 

Some people in the antivirus industry might even call a straight download of an EXE/COM a "drive-by download", which in my opinion it is not:

http://www.amtso.org/feature-settings-check.html

  --> "2. Test if my protection against a drive-by download (EICAR.COM) is enabled"

It might be possible in such cases that they would want you to believe you are protected against "drive-by downloads" when in reality you are not.

Link to post
Share on other sites

I see. I also agree with your perspective, from my understanding a "drive by" would be when a website drops and installs/runs the malware without user interaction. I have used the Amtso website, and I have wondered myself how they could consider the #2 item a "drive by" if I have to click run or save. So, MBAE would not stop those types of downloads since they do not use exploits to drop and run the payload silently, correct? But it would protect against the websites that do attempt to drop and run it silently without user interaction? So, say I or another user visits a website that either is compromised unknownst to the website owner, or a website that is dedicated to hosting malware and is known by the owner, and this site attempts to drop and run a payload without interaction, this is what you would consider a drive-by and MBAE would stop the payload from hitting the computer? I feel like such a noob, lol :P Thanks for your patience and help!

Link to post
Share on other sites

  • Staff

So, MBAE would not stop those types of downloads since they do not use exploits to drop and run the payload silently, correct?

Correct.

 

But it would protect against the websites that do attempt to drop and run it silently without user interaction? So, say I or another user visits a website that either is compromised unknownst to the website owner, or a website that is dedicated to hosting malware and is known by the owner, and this site attempts to drop and run a payload without interaction, this is what you would consider a drive-by and MBAE would stop the payload from hitting the computer?

Yes, although there's a slight difference between "drop and run a payload without user interaction" and "drop and run a payload using an exploit". MBAE is focused on blocking exploits, regardless of whether they are utilized in drive-by downloads, targeted attacks, financial attacks, cyber-espionage or advanced persistent threats. There are certain very unlikely situations where you can manually lower the security settings of your browser and a website could then "drop and run a payload without user interaction" without requiring exploits. But this is extremely rare as you would have to purposely and knowingly tweak a bunch of browser settings to allow it to happen.

Link to post
Share on other sites

Okay, I think I get it. Forgive me for being a bit confused :P lol. I always keep my browser settings at almost the highest level, so I don't think I would get hit with a "drop and run" that didn't require exploits. I thought all "drop and run" without user interactions required an exploit, I didn't know that could happen without an exploit, thanks for explaining. So, let's see if my brain understands it now :P. You said I was correct when I asked about a download that I had to click run or save on, since that doesn't use an exploit. So if I purposefully lowered my security settings (which I wouldn't do), and a website did drop and run something without my interaction without using an exploit, MBAE would not stop that one because that wasn't exploit-driven? But if I kept my browser security settings as they are, and accidentally went to a website that attempted a "drop and run" without my interaction or without knowingly lowering my browser settings, MBAE would stop that? A lot of new information, I always thought drop and run were called "drive by" downloads and that they all used an exploit of some sort, my brain is trying to understand all the information you're giving so I hope I'm understanding you correctly and I hope I'm not just asking the same thing over and over.

Link to post
Share on other sites

  • Staff

So if I purposefully lowered my security settings (which I wouldn't do), and a website did drop and run something without my interaction without using an exploit, MBAE would not stop that one because that wasn't exploit-driven?

Correct

 

But if I kept my browser security settings as they are, and accidentally went to a website that attempted a "drop and run" without my interaction or without knowingly lowering my browser settings, MBAE would stop that? A lot of new information, I always thought drop and run were called "drive by" downloads and that they all used an exploit of some sort, my brain is trying to understand all the information you're giving so I hope I'm understanding you correctly and I hope I'm not just asking the same thing over and over.

 

Correct, MBAE would stop that if the drive-by was performed using an exploit. In reality most drive-by downloads use exploits as the default config of browsers prevents an accidental drive-by without user interaction and without exploit.

Link to post
Share on other sites

Okay, I think I understand now :) You answered my biggest question, about going to a website that infected me without any interaction or lowering settings, that was the biggest question I had, and you answered it, a long with a lot of new information for me too. I also think it's really cool that MBAE would stop malicious pdf, word, mp3 files, etc. I didn't know those could ever be malicious, so thanks for letting me know!

Link to post
Share on other sites

  • 2 weeks later...

Still on the noob theme, what DOES it do?

 

Is it more than EMET does (which is another thing that covers potential exploits).

Is it compatible with EMET, or is it overkill to use both.

 

Now I'd assume anyone looking into anti-exploit already knows of EMET, but just in case...

http://krebsonsecurity.com/2013/06/windows-security-101-emet-4-0/

 

Actually, as I understand it, EMET did need a small tweak to harden Internet Explorer against the latest 0-day, an addition to the heapspray options in the registry

http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx

 

I'd also assume we are not talking about an ordinary HIPS, as then it would be duplicated by other things which have that function.

 

Trying to figure out just where it actually sits.

Link to post
Share on other sites

  • Staff

Thanks for your interest and welcome to the forum matth79!

 

In terms of comparing MBAE to EMET, let's look first at the differences in the objective.

 

  • EMET is mainly designed to enforce OS protections on third party (i.e. non-Microsoft) applications. So for example you can force non-ASLR compliant apps to use ASLR. It also includes other mitigations which are very nice and handy as well as the certificate trust feature.
  • MBAE on the other hand has been designed as a global (i.e. complete, as in you don't need anything else)  multi-layer anti-exploit real-time protection. While some of the mitigations are similar in nature, MBAE is more complete as an anti-exploit as it includes multiple techniques against both stage 1 and stage 2 of the exploit attacks (while EMET is just stage 1). So basically in case something bypasses exploit stage 1 protections with EMET, you are out of luck. With MBAE if some exploit bypasses stage 1 you still have the stage 2 protection layers protecting you as a safety net.

 

Some other differences are the following:

  1. MBAE is growing and including EMET protections and even other types of protections not found currently in EMET or MBAE. We keep on adding new techniques every other week to make MBAE even more robust and complete as an anti-exploit.
  2. EMET’s protections are limited in older Operating Systems such as XP, while MBAE is not. Under XP MBAE is much more effective than EMET. This is especially important for larger companies where they still rely on older OS versions and are much more vulnerable.
  3. Finally potential bypasses for EMET (there have been a few in the past) do no affect MBAE as we include the exploit stage 2 protections not found in EMET as a safety net.

Having said all that I also have to say that EMET is great and we are great fans of it since the beginning. If you are a security enthusiast or security paranoid you can install both EMET and MBAE and you will have much more protection than having just one or the other. But for the rest of the regular joe blow and gramma users MBAE is much better fitted as it is truly install-and-forget.

 

I hope this helped answer your questions.

Link to post
Share on other sites

I guess it's hard to pin down exactly what  it does, and how it does it..

 

We all understand what an antivirus is/does - detects/prevents virus/malware by signature detection (reactive) and heuristic analysis / behaviour blocking (reactive).

EMET attempts to block a good number of exploit vectors - where DEP started, EMET builds - on MS applications too, Internet Explorer being the one that most needs its help - good point though, as it needs that addition.

 

I'm guessing that Interprocess control may be one element, but that would also fall under the HIPS of many other products.

 

So the only thing I can think of, parallels another form of defence (that promised a 1.0 release but never delivered on it)

http://www.blade-defender.org/

The key feature of that seemed to be, detecting whether or not a certain action had been commanded by the user .. eg. you click to download a file, you get a file download, but if it tries to download by some devious method, it's blocked - I did wonder if ZVL was where that had actually ended up, since blade-defender seems to be a long stalled/dead project itself.

Link to post
Share on other sites

  • Staff

This discussion is quickly moving from "noob questions" to "l33t questions" :) But it's all good, we like discussing these things openly, thanks for participating matth79!!

 

In terms of parallels, MBAE is much more similar to EMET than it is to Blade Defender. If you read the Blade Defender paper (I haven't read it since a few years ago, so I might miss a detail or two) the technology works in a completely different way than both EMET and MBAE. They basically have a sandbox mechanism for the actions from protected processes. This is very different from both EMET and MBAE in that we protect the application in real-time by intercepting the execution flow rather than redirecting it. This is an over-simplification but it serves to illustrate the point.

 

AFAIK the Blade Defender project was purchased by Siri International and my best guess is that it is probably either abandoned or being kept as a secret defense project within the US Military (or more likely, both).

 

Going back to parallels between MBAE and EMET, I want to stress my point (1) above that MBAE is growing and includes both stage 1 protection techniques similar to EMET as well as stage 2 protection techniques. As opposed to MBAE, EMET cannot grow to include stage 2 protections or even include some of the stage 1 techniques that we are including. This is not a technical limitation but rather a MSFT policy limitation.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.