Jump to content

Does MBAE protects from 'AtomBombing' - latest Code Injection technique?


3xP10iT
 Share

Recommended Posts

Link to post
Share on other sites

AtomBombing appears to be a OS level issue. Malwarebytes Anti-Exploit works to harden applications that work at the application level, ie., firefox.

I am sure more will come out in the coming days. That being said, I would expect Microsoft has staff looking into this and if any you are running HIPS, snort rules will be written to block any known exploit attempts, after they are discovered.

In the mean time, I would not count on MBAE or any other security tool to block this exploit if it occurs at the OS level. MBAE can not stop OS based exploits; however, it does limit what can be done at the application level and thus is still very useful to limit the overall number of attacks that can be used against applications running on a Windows based system.

http://www.scmagazine.com/system-level-exploit-allows-code-injection-of-all-windows-os-versions/article/569173/

Link to post
Share on other sites

  • Staff

"Yes" we block this via multiple techniques. Btw other vendors are claiming to stop AtomBombing with some basic exploit mitigation. But we've successfully modified AtomBombing to bypass those other exploit mitigations. In all modifications MBAE still blocks it, although with other protection layers as shown in the picture.

 

MBAEvsAtomBombing.png

Link to post
Share on other sites

1 hour ago, pbust said:

"Yes" we block this via multiple techniques. Btw other vendors are claiming to stop AtomBombing with some basic exploit mitigation. But we've successfully modified AtomBombing to bypass those other exploit mitigations. In all modifications MBAE still blocks it, although with other protection layers as shown in the picture.

 

MBAEvsAtomBombing.png

Yes, this is the explanation that we wanted from Malwarebytes. Any video demo?

But, if you think u did better than other vendor, could you post a detailed write up about this on malwarebytes forum? just like what other vendor did to promote and proof their products rather than 'Yes' or 'No' answers?

Sample: https://blog.cylance.com/cylanceprotect-vs-atombombing-exploit

This is the time to promote your products more aggressively as now you have the 'selling point' but with better blog write-up just like what i said above so people will know more.

Link to post
Share on other sites

  • Staff

I don't like doing that type of pissing match promotion. We modified the AtomBombing exploit in a few different ways and the modifications bypassed the Cylance product (as it only has basic exploit protection) and were stopped by a stock/default MBAE install. Even a 1 year old MBAE version stopped all the AtomBomb modifications. Feel free to accept this statement (or not), but we probably won't do a video showing other vendors.

 

Link to post
Share on other sites

4 hours ago, pbust said:

I don't like doing that type of pissing match promotion. We modified the AtomBombing exploit in a few different ways and the modifications bypassed the Cylance product (as it only has basic exploit protection) and were stopped by a stock/default MBAE install. Even a 1 year old MBAE version stopped all the AtomBomb modifications. Feel free to accept this statement (or not), but we probably won't do a video showing other vendors.

 

pbust, i totally accept your statement.:) Thumbs Up Malwarebytes team!!! You are the best!!!:D

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.