US firm Malwarebytes has announced a security product it believes can do something that has eluded even the best-resourced security firms in the business – block all zero-day attacks known and unknown against popular Windows applications.
Called Anti-Exploit, the new software is an application developed by a startup Malwarebytes acquired a year ago called ZeroVulnerabilityLabs, founded by ex-Panda Security software engineer, Pedro Bustamente. The germ of the development dated back to an early version of the software that appeared in 2012.
Let’s be clear about how extraordinary this technology is on a conceptual level. It doesn’t just claim to stop application exploits that are known but those that aren't too. If it works it will be the first product to implement 'zero-day defence'. And all without a signature in sight.
The free version protects against zero-day vulnerabilities in Java, Flash, Silverlight and various browsers - Internet Explorer, Mozilla, Chrome and Opera - while the $24.95 (£15) paid version adds to that list Adobe and Foxit’s PDF reader, Microsoft’s Office suite, and a range of media players such as Windows Media Player and QuickTime.
The paid software also allows the user to define custom applications, while a third track will be the business version that comes with centralised endpoint management.
The antivirus industry has a tendency to run on security hype from time to time so do the big claims being made for Anti-Exploit stand up?
Zero day attacks on applications – exploiting software flaws to take control of a target - are the bread and butter of today’s cybercrime. Losing that avenue of attack would shut down something that is not so much of an attack path as an attack super-highway. Indeed, it is hard to think of a single significant piece of malware (including attacks traced to nation states) that hasn’t depended on exploiting zero-day flaws at some point in their execution.
“It is install and forget,” says Pedro Bustamente, who has spent the best part of three years since leaving Panda Software developing the technology behind it.
He agrees that recent versions of Windows have improved their integrated security, including innovations such as Address Space Layout Randomisation (ASLR), as well as Microsoft’s own anti-exploit layer, the Enhanced Mitigation Experience Toolkit (EMET). The latter, he believed, had been simply too generic to be a useful defence against real-world attacks.
“Most of what antivirus does is protection of the binary; [with Anti-Exploit] we are looking at the actions of the shellcode and payload.”
The difficulty of developing Anti-Exploit was that there was no one technique that could do it all, said Bustamente. It had been necessary to develop several layers of protection and fine tune them to defend real applications. Anti-Exploit used three layers of defence, guarding against OS bypasses, blocking exploit execution in memory and stopping the payload element from running.
Aware that it was likely to be greeted with scepticism, Malwarebytes asked security researcher Kafeine to pit the beta version against a number of top malware exploit kits and 31 recent known Java, IE and Adobe exploits. According to the results, the software blocked all of them.
Assuming this result is replicated against other known (and unknown) exploits, attackers have only three lines of attack left, starting with the application itself. Two other limitations are that the software doesn’t and can’t defend against zero-day attacks on Windows itself (although relatively few use that avenue because this kind of flaw is rarer than it used to be), nor malware employing social engineering to get itself installed.
“Exploits have been responsible for a lot of headlines recently as they are a highly effective way of stealing confidential data from people and businesses. After researching thousands of vulnerabilities and exploits, we are confident that Malwarebytes Anti-Exploit will help mitigate some of this risk,” said Malwarebytes CEO, Marcin Kleczynski.
“With the advanced threat landscape becoming increasingly exploit-led, this new proactive technology puts people and companies back on the front foot. This is especially important for those still running Windows XP.”
Malwarebytes Anti Exploit can be downloaded from the firm's website.