(According to Marcus Ranum in Technology Review): It is most likely that we will breakdown by a fatal system failure caused by connecting one critical system with a not so critical system that was connected to the internet just because someone wanted to check his facebook account through that system and accidentally got hit by a drive-by.
2014/07/27 by Flo
During the last years I programmed a lot of different tools to analyze malware in a high level envrionment because I was tired of doing such stuff with ordinary debuggers and/or disassemblers anymore. Within the last few months I finally put all the different approaches together and build up an Exploit Analysis Appliance Framework called Exploitbuster. Let me explain what Exploitbuster is all about. If you have any questions feel free and contact me.
More and more sophisticated and targeted zero-day attacks rise in our internet and computer driven world. Traditional security defenses, such as anti-virus, IDS or next-generation firewalls are not able to keep up with the amount of new attacks flooding computer systems and networks day after day. The impact to organizations is significant: Denial of Service (DoS), increased help desk calls, network downtime, information and intellectual property loss, etc. That all sums up in lost productivity and lost money.
Traditional tools like firewalls, anti-virus tools, behavior-analysis were designed only for already known patterns of malicious code and attacks. But today we see personalized attacks against cooperate IT-infrastructures and users. These attacks survive most classical detection systems like firewalls, IDS, AVs and filtering internet gateways. Such solutions offer only little protection against such attackers, because new attacks (zero-days) have a really good chance getting not detected and nailed by traditional solutions.
It's time for other solutions to come in place to help you and your organization identifying and analyzing zero-day exploits or other harmful attacks in a controlled environment. Exploitbuster enables you to automaticly open suspicious documents (PDFs, DOCs, XLSs, PPTs etc.) on pre-configurated forensics computers. The forensic computers are each packed with different versions of Windows, common used web browsers, plug-ins and applications to open a suspicious file or URL. Using special analyzing tools in user- and kernel-mode Exploitbuster is able to track a lot of suspicious behavior on the fly by keeping the flase-positives/negatives rate low.
Exploitbuster lets you test suspicious objects to see if its content is toxic and harmful without the painful process of analyzing such objects with hacky-cracky debuggers, customized API-hook engines etc. If an object is harmful you can design a pattern to block such content at your gateway or trace it back. Exploitbuster gives you a powerful environment to inspect potential malware, zero-day attacks embedded through URLs or well known document file formats with little knowledge and in-depth inspection needed. Thus Exploitbuster perfectly suits the need for automatic forensic analysis.
With an easy to use web interface even ordinary users can inspect a single file or batches of files against a target environment or all pre-configurated environments of an Exploit Analysis Appliance. Exploitbuster fully opens and executes suspicious objects and allows users to inspect what is really going on behind the scenes. The resulting report allows you to pinpoint an option for a given incidence.
Exploitbuster is my private project and still under construction and development. For more details about the progress you can check out the project's web site - so stay tuned.
2013/01/19 by Flo
You are able to anonymously report potential toxic web content that we might check and analyze with Exploitbuster. Enter the URL below:
2013/01/05 by Flo
2012/12/14 by Flo
In general an instance of Exploitbuster can be installed on a standard PC with a x86/x64 Intel/AMD-based CPU, 1 to 4 GBs of RAM and at least 20 GBs of HDD. But I highly recommend to install Exploitbuster on some Appliance-Server with VMWare as a virtualization host where you can run different Exploitbuster-instances in parallel.
Exploitbuster runs with a very, very small binary footprint and can be run on €100-- machines if one does not like virtualization to detect malware. Thus if you like, you can install and run the framework on a bunch of cheap mini/micro-ITX boxes :-)
2012/12/14 by Flo
Licensed versions of Windows XP, Vista, 7 and 8 (x86 and x64 versions). A VMWare Virtualization solution is recommended and supported but VirtualBox works fine too.
2014/07/28 by Flo
Are there other projects doing the same?
I think so. NSSLabs and FireEye might have such solutions to collect all the intelligence background information. Also check out the Honeynet-Project.
Does Exploitbuster supports Windows 8 and 8.1?
Yes. Even more, Exploitbuster supports Windows XP, Vista, 7, 8 and 8.1.
Exploitbuster, Tüsteher, Türsteher Light, MZWritescanner... Is it all the same?
No, Exploitbuster is much more than the free drivers you can download at bitnuts.de. Türsteher Light is a stipped down (lite) version of Türsteher. Türsteher itself is not available for free here and is more or less something like a high class executable tracker. Türsteher is able to check any executable loaded, and it checks binaries on signature basis. Türsteher Light is a highly stripped down version of Türsteher published for free on bitnuts.de.
Is there any latency while using systems with Exploitbuster (and its drivers)?
A bit, but not remarkable. Maybe you might notice the difference if you gonna use the system for playing high-end games in parallel :-) Under normal circumstances the ordinary user will not feel any difference while surfing the web, using a word processor, doing some tasks with image processing, watching youtube or video on demand, surfing facebook and twitter etc. I do all of that with enabled drivers, and it works perfectly for me. I also used it in special secured and highly virtualized (beyond standards) environments and the drivers did not take a remarkable breath out of the system. Well, as I said: Maybe if you play some 3D-games, but that is out of my scope.
Can I use Exploitbuster as some kind of protections suite (like a desktop firewall or something)?
No and Yes. Exploitbuster was initially intended to run as a server and its analyzing workers as separate (virtual) machines, not on one client. But you can install it on only one client and skip the part of Exploitbuster that handles and distributes the request to different machines. Here Exploitbuster is more or less something like a live protection framework on your personal computer. I currently do so and it works perfectly for me, but I think the ordinary user cannot handle that.
Does Exploitbuster detect memory mapped files for reflective attacks?
Yes it should, but maybe some hacker is better than us and can work around our detection techniques :-)
Does Exploitbuster avoid loading any malicious drivers if hit by an exploit?
Yes, Exploitbuster is able to detect almost every binary loaded by an exploit. That is what Exploitbuster is good for. There might be some special scenarios I could think of where Exploitbuster might fail, but that is currently out of the scope. If you want to discuss on that, contact me.
Is Exploitbuster some kind of anti-virus scanner or desktop firewall?
No, Exploitbuster is an analyzing tool. It natively will not scan files or URLs against well known virus databases or against a collection of commercial anti-virus products. Exploitbuster's aim is to detect unknown or permuted known attacks hidden in documents or web sites that will not be catched by ordinary anti-virus scanners. But it is no problem to include an anti-virus scanner into the framework and pre-scan suspicious files before checking them on an Exploitbuster-instance.
I have a suspicious object (file, url). Can you run it through your instance of Exploitbuster?
For sure, feel free and contact me.
How much is the Exploitbuster Appliance and where can I buy it?
Well, Exploitbuster is a private project and currently I do not plan to sell it as a product. If there is demand I can assist interested parties on how to install and setup an Exploitbuster Analysis Appliance. Feel free and contact me.
Do you publish any exploits detected by Exploitbuster?
Hell no! Well, from time to time we do active Internet measurements using Exploitbuster, but we will not publish any exploits to the public detected by Exploitbuster. If needed and possible we will contact the author of a vulnerable object or the operating authority under responsible disclousure. Maybe we will provide some high level statistics soon.
Is the current version of Exploitbuster final, do you update and elevate Exploitbuster?
No and yes :-) Exploitbuster is a private project and we are still developing its code and hardware base. Check out the project's web site and stay tuned.
Will Exploitbuster catch all kinds of exploits?
Well, we hope that Exploitbuster will catch a lot of exploits but to say we will catch all exploits seems to be an illusion. We are not like Rasputin, but we work hard to provide mirages ;-)