MBAE Self-Defense

[ardaulairesh]

Under the active development and great customer support offered by Pedro and Malwarebytes, MBAE is going to be the number one Anti-Exploit Application available in the very soon future. Therefore, it itself is going to be the target of attacks! Such as modification/elimination of MBAE files (including program files and logs files directory), tampering with its registry keys and termination of MBAE processes. Are there any self-defense mechanisms already implemented into protecting MBAE? Such as Malwarebytes Chameleon which is implemented as a self-protection module in MBAM 2 Beta. Are there any (further) plans for future self-protection techniques?

 

I can see that with alpha version 0.10.0.0200, you introduced a new architecture which runs MBAE as a Windows Service. This made "mbae.exe" process to run with limited rights and therefore less exposure. The situation was different during the whole beta phase in which mbae.exe process was fully elevated. I was playing with MBAE service "MbaeSvc" which is running under LocalSystem account and tried to change its account type and run it under LocalService account which has a lower level of privileges than the previous one and consequently reducing the surface attack of Mlwarebytes Anti-Exploit! Naively "MbaeSvc" failed to launch! 

 

Also, with this new architecture non-admin users can not stop protection of MBAE nor they can manage exclusions of MBAE's excluded list, which are in my opinion very good additions. 

 

Currently, I am protecting both "mbae-svc.exe" and "mbae.exe" processes with EMET 4.1!They are configured with ALL EMET mitigations enabled.

 

 

 

 

 

 

[Durew]

Hi ardaulairesh,

As far as I know MBAE has no self-defence mechanisms. I believe the reason for this is that to tamper with MBAE you need to infect the computer, and once the computer is infected, MBAE won't do much good anyway. MBEA is not designed to run in an infected environment. It is to keep a clean computer clean.

Pbust once posted about this before. You can find it here.
This in contrast to MBAM which is actually supposed to be able to run in an hostile environment.

 

I hope this sheds some light on the situation. If you have any questions, please post & ask.

[hake]

I am not convinced of the wisdom of using EMET to mitigate exploits of Anti-Exploit processes. This is because EMET's detection of exploits causes the exploited process(es) to be terminated. I would have thought that it was preferable not to terminate mbae.exe and mbae-svc.exe. If it was possible for malware to exploit Anti-Exploit so as to then corrupt a running system then I would use EMET to mitigate exploits of Anti-Exploit.

 

Malwarebytes Anti-Exploit is indeed a magnum opus and I look forward to giving the paid for version to friends as presents. It should save me a lot of bother with dealing with malware infections and their aftermath so call it enlightened self-interest if you like. Needless to say that I will be getting the paid for version for my own systems.  Can't wait.

[pbust]

Thanks for the comments guys. The explanation referenced by Durew is the correct answer. So while MBAE is designed to prevent such attacks, we might incorporate some self-protection mechanisms in the future even though they are not as important as in other products such as AV or AM.

 

As for EMET protecting MBAE's processes (or viceversa once we allow adding new apps to MBAE) I am also somewhat doubtful of its usefulness due to the low attack surface from remote code execution exploits. You would have to first compromise the host and then disable the protection. But once compromised, it's game over anyway.

 

I think it's more important to be as stealth as possible so that exploits cannot detect its presence. There was a recent example of this in the latest IE10 zero-day in which the exploit detected the presence of EMET: