Mission impossible? Malwarebytes invents software that blocks zero-day attacks

Can this software end the tyranny of zero-day attacks?

US firm Malwarebytes has announced a security product it believes can do something that has eluded even the best-resourced security firms in the business - block all zero-day attacks known and unknown against popular Windows applications.

Called Anti-Exploit, the new software is an application developed by a startup Malwarebytes acquired a year ago called ZeroVulnerabilityLabs, founded by ex-Panda Security software engineer, Pedro Bustamente. The germ of the development dated back to an early version of the software that appeared in 2012.

Let's be clear about how extraordinary this technology is on a conceptual level. It doesn't just claim to stop application exploits that are known but those that aren't too. If it works it will be the first product to implement 'zero-day defence'. And all without a signature in sight.

The free version protects against zero-day vulnerabilities in Java, Flash, Silverlight and various browsers - Internet Explorer, Mozilla, Chrome and Opera - while the $24.95 (£15) paid version adds to that list Adobe and Foxit's PDF reader, Microsoft's Office suite, and a range of media players such as Windows Media Player and QuickTime.

The paid software also allows the user to define custom applications, while a third track will be the business version that comes with centralised endpoint management.

The antivirus industry has a tendency to run on security hype from time to time so do the big claims being made for Anti-Exploit stand up?

Zero day attacks on applications - exploiting software flaws to take control of a target - are the bread and butter of today's cybercrime. Losing that avenue of attack would shut down something that is not so much of an attack path as an attack super-highway. Indeed, it is hard to think of a single significant piece if malware (including attacks traced to nation states) that hasn't depended on exploiting zero-day flaws at some point in their execution.

"It is install and forget," says Pedro Bustamente, who has spent the best part of three years since leaving Panda Software developing the technology behind it.

He agrees that recent versions of Windows have improved their integrated security, including innovations such as Address Space Layout Randomisation (ASLR), as well as Microsoft's own anti-exploit layer, the Enhanced Mitigation Experience Toolkit (EMET). The latter, he believed, had been simply too generic to be a useful defence against real-world attacks.

"Most of what antivirus does is protection of the binary; [with Anti-Exploit] we are looking at the actions of the shellcode and payload."

The difficulty of developing Anti-Exploit was that there was no one technique that could do it all, said Bustamente. It had been necessary to develop several layers of protection and fine tune them to defend real applications. Anti-Exploit used three layers of defence, guarding against OS bypasses, blocking exploit execution in memory and stopping the payload element from running.

Aware that it was likely to be greeted with scepticism, Malwarebytes asked security researcher Kafeine to pit the beta version against a number of top malware exploit kits and 31 recent known Java, IE and Adobe exploits. According to the results, the software blocked all of them.

Assuming this result is replicated against other known (and unknown) exploits, attackers have only three lines of attack left, starting with the application itself. Two other limitations are that the software doesn't and can't defend against zero-day attacks on Windows itself (although relatively few use that avenue because this kind of flaw is rarer than it used to be), nor malware employing social engineering to get itself installed.

"Exploits have been responsible for a lot of headlines recently as they are a highly effective way of stealing confidential data from people and businesses. After researching thousands of vulnerabilities and exploits, we are confident that Malwarebytes Anti-Exploit will help mitigate some of this risk," said Malwarebytes CEO, Marcin Kleczynski.

"With the advanced threat landscape becoming increasingly exploit-led, this new proactive technology puts people and companies back on the front foot. This is especially important for those still running Windows XP."

Malwarebytes Anti Exploit can be downloaded from the firm's website.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal TechMicrosoftsecuritypanda securityMalwarebytes

More about Adobe SystemsMalwarebytesMicrosoftMozillaPandaPanda SecurityPanda SoftwareToolkit

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts