Jump to content

Is anti-Exploit really anti-Exploit ?

godpiou

By godpiou
in Anti-Exploit Beta

 Share

Recommended Posts

godpiou

godpiou

Posted
Posted

I had recently, in the past 3 hours, a message from Google Chrome that the site I was about to enter was injected and was not the real site I want to visit (precisely, www.bestbuy.ca).  I decide to enter anyway and it was clear that it was an exploit scam (the graphics on the page remained the same but when I move the mouse over links, the URL address had changed (to something like be-buy.com).  But even if I click the site Anti-exploit never advised me. If Chrome did not the job, I probably have now a ransomware or data theft.  Could you explain this to me please...

 

Thank's in advance,

 

Eric Godbout

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted (edited)

Eric, what you describe is not that of software exploitation.  That is what Malwarebytes' Anti-Exploit ( MBAE )  is for.  While it is true that Social Engineering is the Human Exploit, that's not what MBAE is for.  What you describe in your web visit sounds like a fraud page of some kind.  Often frauds exploit human frailties to effect their ploy.  Software exploitation is a background event.  When a software exploitation is in-play the computer user will generally not know it is happening.  There are no bells and whistles that go off and the only visual clue to what is happening may be the application being exploited crashes.  However not all exploitation attempts cause an application to crash and not all application crashes are the result of an exploitation attempt.

When one talks about a software "exploit" that MBAE is designed block, there are basically two kinds.
 
*  Exploiting a software vulnerability to gain elevated privileges to effect a computer's compromise
 
*  Taking advantage of a capability to use in their benefit in an unexpected or unanticipated way.
 
As an example of the first case I'll use the Lovsan/Blaster worm.  It exploited a software vulnerability in the Operating System RPCSS/DCOM which uses TCP port 135.  The Lovsan/Blaster worm would send a specific set or string of characters to TCP port 135 to create a "buffer overflow with an elevation of privileges" condition where if successful, the worm would create a BLASTER.EXE on the target system and then execute it.  Once the PC was infected it would seek new hosts and the Lovsan/Blaster worm would spread exponentially.
 
As an example of the second  case I'll use the Wimad trojan.  The Wimad trojan takes advantage of the Digital Rights Management (DRM) incorporated in media files such as MP3, WMV and other music and video files.  By taking advantage of the DRM, it would be used in combination of Social Engineering and one's desire for "free music" or a "free movie" to cause the person to download and run some malicious program.
 
Therefore you use an anti exploitation application to thwart the malicious activity of deliberately exploiting a vulnerability to effect a system compromise.
 
One may use a specially crafted...

  • PDF file to exploit a vulnerability in a PDF viewer like Adobe Reader or FoxIt.
  • MOV file to exploit a vulnerability in a Apple's QuickTime renderer.
  • GIF file to exploit a vulnerability in Microsoft's Graphics Device Interface (GDI).
  • DOC, XLS or other MS Office document file to exploit a vulnerability in Microsoft Office or to use a macro to download and execute a file or extract an embedded file and execute it.
  • RMP file to exploit a vulnerability in RealPlayer.


It is for situations as enumerated above where an anti exploit application will be used to monitor and shield a given application, which exhibits vulnerabilities, from attempts using the vulnerability/exploitation attack vector.
 
The intention of MBAE is to monitor and shield a given application which has a propensity of being exploited.

 

Edited by David H. Lipman
Link to post
Share on other sites
godpiou

godpiou

Posted
  • Author
Posted
11 minutes ago, David H. Lipman said:

Eric, what you describe is not that of software exploitation.  That is what Malwarebytes' Anti-Exploit ( MBAE )  is for.  While it is true that Social Engineering is the Human Exploit, that's not what MBAE is for.  What you describe in your web visit sounds like a fraud page of some kind.  Often frauds exploit human frailties to effect their ploy.  Software exploitation is a background event.  When a software exploitation is in-play the computer user will generally not know it is happening.  There are no bells and whistles that go off and the only visual clue to what is happening may be the application being exploited crashes.  However not all exploitation attempts cause an application to crash and not all application crashes are the result of an exploitation attempt.

When one talks about a software "exploit" that MBAE is designed block, there are basically two kinds.
 
*  Exploiting a software vulnerability to gain elevated privileges to effect a computer's compromise
 
*  Taking advantage of a capability to use in their benefit in an unexpected or unanticipated way.
 
As an example of the first case I'll use the Lovsan/Blaster worm.  It exploited a software vulnerability in the Operating System RPCSS/DCOM which uses TCP port 135.  The Lovsan/Blaster worm would send a specific set or string of characters to TCP port 135 to create a "buffer overflow with an elevation of privileges" condition where if successful, the worm would create a BLASTER.EXE on the target system and then execute it.  Once the PC was infected it would seek new hosts and the Lovsan/Blaster worm would spread exponentially.
 
As an example of the second  case I'll use the Wimad trojan.  The Wimad trojan takes advantage of the Digital Rights Management (DRM) incorporated in media files such as MP3, WMV and other music and video files.  By taking advantage of the DRM, it would be used in combination of Social Engineering and one's desire for "free music" or a "free movie" to cause the person to download and run some malicious program.
 
Therefore you use an anti exploitation application to thwart the malicious activity of deliberately exploiting a vulnerability to effect a system compromise.
 
One may use a specially crafted...

  • PDF file to exploit a vulnerability in a PDF viewer like Adobe Reader or FoxIt.
  • MOV file to exploit a vulnerability in a Apple's QuickTime renderer.
  • GIF file to exploit a vulnerability in Microsoft's Graphics Device Interface (GDI).
  • DOC, XLS or other MS Office document file to exploit a vulnerability in Microsoft Office or to use a macro to download and execute a file or extract an embedded file and execute it.
  • RMP file to exploit a vulnerability in RealPlayer.


It is for situations as enumerated above where an anti exploit application will be used to monitor and shield a given application, which exhibits vulnerabilities, from attempts using the vulnerability/exploitation attack vector.
 
The intention of MBAE is to monitor and shield a given application which has a propensity of being exploited.

 

Hi David,

I understand better now.  Thank's for the explanation. I thought that an injection was and exploit but it's clear now that it's just another type of social engineering.

Thank's again

Eric

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.