BLADE: New Tool for Stopping Stealthy Downloads

Which is why I am considering adding Sandboxie to the HIPS protection in Spyware Terminator. That should keep my PC safe.

 

I take this to mean you refer to the cybercriminal hosting the exploit code itself on the compromised website. This is certainly possible, so your HIPS or the like, or a Sandbox would stop the malware payload from installing, just as it would from a redirected site.

But it's more common for cybercriminals to use simple code injection or Search Engine poisoning to redirect traffic to their website. From their own site, they can easily control and modify their exploit packages.

Does this cover what you are thinking?

----
rich

 

This project sounds very interesting! Especially for free!

Will it support 64-bit systems?

It will be interesting to see how it performs on real PCs due to the fact of FalsePositives...

 

It does indeed. Thanks very much for the information!

I will admit that I find it striking that so many people get stung by these threats. Particularly recently, I've seen many folks I know get infected by these drive-by downloads, and it makes me wonder if the malware is being hosted locally on the compromised domains. Most of these people know better than to consent to the download, use some variety of script blocking, and keep their software up to date - so I'm forced to surmise that the familiar domains are actually dolling out the nasties.

 

The most reliable solution is to keep the system locked down to prevent anything from sneaking by. But this is not always a favored solution, as BlueZannetti notes in his thread here:

Approaches to maintaining a clean system
https://www.wilderssecurity.com/showthread.php?t=252253

There are always trade-offs between ease of use and security, the most recent and sensational example being the Aurora exploit against organizations. A simple Default-Deny rule in Software Restriction Policies would have blocked this 0-day exploit at the gate. However, such a restriction means that only the Administrator can install software, a situation that would make for a very unhappy workforce, as some IT personnel have told me.

Again, it's always a trade-off between security and ease of use!

----
rich

 

IE allready has this just use these reg files in this post

https://www.wilderssecurity.com/showpost.php?p=1603237&postcount=1


pretty tough business case to set up, when a simple registry tweak provides the same functionality. May be I should make an execytable of it and sell it, so people start to use this. Same with the icacls.exe trick on Vista and Windows7 to force drop my rights even under UAC. It does not degrade your functionality, so why not use it? May be becasue it is to easy (using something you allready paid for with the OS)

 

Yeah, don´t see what all the fuss is about, if I´m correct every HIPS with process/executable control is able to stop drive by downloadS, but then again, most people are not running HIPS.

 

At work, I always remind the user that their special configuration protects them from infections. In the end, they are very grateful.

 

Make an exe and put it on giveaway of the day.

 

Why not indeed, Kees? In my experience with some of my clients and from what I read in forums, a lot of users just plain do not want to mess with anything that does not have a shiny GUI with blinking buttons. And messing with the registry is strictly forbidden with a lot of people. But you are right, if you created an executable of that same tweak people would use it because they just want to be protected with a couple of mouse clicks. Of course if you tell a firefox user that you have a way to make IE the most secure browser and show them proof of it, they will most likely continue using Firefox simply because it is there favorite or they are used to it.

 

@Kees
But i guess with your registry tweaks it is nearly impossible to download exe files even with Firefox and other browsers. This has been already discussed, but i guess it was not yet solved....May be i am wrong, so please lemme know if that issue has been sorted out or not?

 

Does anyone know if this will x64 systems?

I searched for any contact i could ask but didn't found anything...

 

RMUS,

Thx for your always detailed and comprehensible explanations.

There are so many options which streghten the security which are not used by default, see http://msdn.microsoft.com/en-us/library/ms537169(VS.85).aspx

Some goodies:
- FEATURE_OBJECT_CACHING
- FEATURE_ZONE_ELEVATION
- FEATURE_MIME_HANDLING
- FEATURE_MIME_SNIFFING
- FEATURE_WINDOW_RESTRICTIONS

Regards Kees

 

No Chrome allows the download, only explorer blocks execution with this tweak. So I am using chrome now for this reason (which is not a punishment when you romove session ID, add click&clean, Siteadvisor for Chrome, Adsweep and Flashblock).

To switch it on and off (for use with FF and IE) I have added reg files see https://www.wilderssecurity.com/showpost.php?p=1603237&postcount=1

Regards Kees

 

Hm, new informations on their homepage:

I hope that does not implicit that the final version won't be free...

And i hope i will be working for x64 systems.!.

 

New informations and a video on the homepage: http://www.blade-defender.org/

But i am waiting for any contact or forum. I am interested in facts like: Will it run on x64 systems? And will it be free for ever?

 

I'm sooo waiting for this.

 

Me too!

 

@Habakuck

Thanks for the update

BLADE Demo against Real-world Drive-by Download Site

http://www.youtube.com/watch?v=9emHejh8hWE



Several frames before you can see what appears to be Flash trying to load, so i guess the exploit might be related to that, and or Scripting running ?

That's with IE8 running no mention of it's settings though. And of course no AV etc, but the test is just to show how drive bys can still penetrate in 2010 with the latest browser.

Even if there was AV, unless it had the defs for the nasty it would still get through. I'm leaving out mentioning other types of security software which might have prevented this, as it's a browser test.

Looking good so far, can't wait for the release to test it myself

 

No, that's not how ASLR works. ASLR is what the acronym says -- it randomizes the address space of an application in memory. Some exploits require prior knowledge of the location of the heap, stack, etc. Without this knowledge the exploit is dead in the water. ASLR randomizes this address space to make it next to impossible to exploit (at least on 64 bit systems -- not so much on 32 bit). It was invented in 2001 and first implemented in OpenBSD and the Linux kernel. Microsoft jumped on board with Vista.

ASLR is important because it can stop zero-days, whereas SRP sometimes will not if the vulnerable app is acting within its pre-defined accepted behavior.

By the way, ASLR is available on XP with 3rd party add-ons like WehnTrust. However, unless you are using XP 64 bit, the implementation is pretty weak.

 

any news on the release?
waiting .....

 

No news about a release as yet but noticed this which i didn't before

BLADE MALWARE URL ANALYSIS RESULTS
NOTICE: This page is 100% auto-generated.
Wed May 5 20:45:04 2010

.

http://www.blade-defender.org/eval-lab/

See chart for full details

 

Hola:
Been watching this thread with interest.
Took an interesting turn.

Very good reading: a veritable Book chapter in itself. Very very nice.
Thx to those posting.


As an aside
OOI IIRC, the now discontinued 'samurai' tool included all those Reg hooks that Kees mentioned. Somewhat moot now.
Good hardening tool for XP
Samurai is still there: http://www.turbotramp.fre3.com/
Not sure how relevant it is now: W7 and Vista need admin rights.
Interesting implementation.
Some references
https://www.wilderssecurity.com/showthread.php?t=167309
http://gladiator-antivirus.com/forum/index.php?showtopic=49247
http://kareldjag.over-blog.com/article-1232530.html
http://www.brighthub.com/computing/smb-security/reviews/58646.aspx

The "32steps.doc" file on the home page is a nice little "primer" on hardening.

Not sure if it offers anything over whitelisting and anti .exe apps.

**It can screw down the box so effectively that it could interfere with other "real time" apps.

EDIT: see the post below
This tool is likely ood by now: just an example of 'hardening', not really to be regarded as a current useable complete solution in any way.

 

Samurai's hardening is decent but the HIPS component is really woefully obsolete at this point, and will not prevent most drivers from loading.

 

Ya
Sorry if that was not clear..see above edit