Disclaimer: Malwarebytes is a client. This is a sponsored post.
The goal for Malwarebytes is to show how effective is Malwarebytes Anti-Exploit (MBAE).
My goal is to try to find an exploit/Exploit Kit where it's being defeated.
I know many passes despite being made against different exploit kit are technically redundant but I have been asked to make a MBAE vs All EKs, so here is it.I'll try Mbae against many live exploit kits with different setup.
I took the last version available to public for a first set of runs on 2014-04-28/29 and 2014-05-02 :
Malwarebytes Anti-Exploit 0.10.3.0100
![]() |
| MBAE - 0.10.3.0100 in Windows 7 |
1- Mbae vs Nuclear Pack :
1.a.1 XP, IE8 (CVE-2013-2551 vulnerable), Java 7.0.07, Adobe Reader 9.3.0.148, Flash 11.5.502.146
First Pass : MBAE win.
![]() |
Only exploit Being Delivered is the Flash (CVE-2013-0634/CVE-2014-0497)
IE crashed and relaunched but IP Blacklisted by NP. |
![]() |
| Alert received (this is what user sees - i will show the log but it's not prompted) |
![]() |
What i can see in the log
(don't trust date&time VM reverted, datetime not already synced) |
I decided to disable flash and make another pass.
1.a.2 XP, IE8 (CVE-2013-2551 vulnerable), Java 7.0.07, Adobe Reader 9.3.0.148
![]() |
Here CVE-2013-2551 (IE), CVE-2013-2423 (java<=17) and CVE-2010-0188 (PDF)
We can see the payload being downloaded...but it's not being executed |
![]() |
| Payload blocked |
Off Topic: we just escaped :
8d30917be0991a4a18c513943dc027a3 which should be BitCrypt (Crypto Ransomware)
1.a.3 XP, IE8 up to date, Java 1.7.0.21, Flash 13.0.0.182, Adobe Reader 9.3.0.148
![]() |
| CVE-2013-2460 (java <=21) and pdf could strike, CVE-2013-2551 is tried but could not have break |
![]() |
| PDF and Java exploit traces |
Off topic : we just escaped :
77f210c71962325d09aee79e455cd18e1.b.1 Win7 x64 IE10 CVE-2014-0322 vuln, Flash 12.0.0.44, Silverlight 5.1.10411.0, java7u25
In that config, MBAE is not needed as Nuclear can't exploit the computer. No code for CVE-2014-0322 or CVE-2013-0074/3896 (Silverlight) and for some reason CVE-2014-0497 was not fired.
![]() |
| Config b.1 did not faced exploitation from Nuclear Pack |
1.b.2 Win7x32 IE10 CVE-2014-0322 vuln, Flash 12.0.0.38, Silverlight 5.1.20513.0, Adobe Reader 11.0.01, Java6.u.45
![]() |
| CVE-2013-2465 fired |
![]() |
| And blocked. |
Off topic: payload was :
59bd57b840bfa9809e32e753e8c0375c2 - MBAE vs Angler EK
2.a.2 XP, IE8 (CVE-2013-2551 vulnerable), Java 7.0.07, Adobe Reader 9.3.0.148
![]() |
CVE-2013-2551 triggered an alert and MBAE blocked the exploit.
On IE reload exploit kit reject us. |
![]() |
| 1 more line in the logs of MBAE for that VM (+ some entries for 1.a.2) |
( This is when I decided to add the config a.3 for all pass. Check without the IE exploit trigger )
2.a.3 XP, IE8 Up to date, Flash 13.0.0.182 Adobe Reader 9.3.0.148 + java.
I made 2 pass there...in that config no need for MBAE as the exploit kit fail with java 7u21(2.a.3.a) et 7u7 (2.a.3.b)
![]() |
| Angler EK fail with Jre7u21 |
![]() |
| Angler EK fail with jre7u7 |
2.b.1 Win7 x64 CVE-2014-0322 vuln, Flash 12.0.0.44, Silverlight 5.1.10411.0, java7u25
On first pass the CVE-2014-0322 made the Browser crashing, and we also see the silverlight call
![]() |
| First pass on Angler (2.b.1.a) |
![]() |
| Screen after Pass 2.b.1.a |
2.b.2 Win7x32 IE10 CVE-2014-0322 vuln, Flash 12.0.0.38, Silverlight 5.1.20513.0, Adobe Reader 11.0.01, Java6.u.45
![]() |
| Angler EK Launching CVE-2014-0497 and CVE-2014-0322 |
Flash Exploit intercepted just before CVE-2014-0322 make browser Crash
![]() |
| After pass 2.b.2 |
3 - MBAE vs Infinity
3.a.2 XP, IE8 (CVE-2013-2551 vulnerable), Java 7.0.07, Adobe Reader 9.3.0.148
![]() |
| MBAE vs Infinity - CVE-2013-2551 catched. IE Crash and Reload. |
![]() |
| 4 lines in the logs generated by 2 Infinity Landings vs MBAE. |
3.b.1 Win7 x64 CVE-2014-0322 vuln, Flash 12.0.0.44, Silverlight 5.1.10411.0, java7u25
![]() |
| Infinity CVE-2014-0322 pass. IE Crashed too but on reload exploit was successfully triggered |
![]() |
| CVE-2014-0322 in Infinity blocked by MBAE |
3.b.2 Win7x32 IE10 CVE-2014-0322 vuln, Flash 12.0.0.38, Silverlight 5.1.20513.0, Adobe Reader 11.0.01, Java6.u.45
![]() |
| CVE-2014-0322 , Silverlight Exploit and Flash exploit Fired |
![]() |
| Intercepted by MBAE |
4 - MBAE vs FlashPack
4.a.2 XP, IE8 (CVE-2013-2551 vulnerable), Java 7.0.07, Adobe Reader 9.3.0.148
![]() |
| MBAE vs FlashPack. CVE-2013-2551 spotted and blocked |
![]() |
| 2 new lines in the log. CVE-2013-2551 from FlashPack intercepted by MBAE |
To see further we'll do another pass with IE8 up to date.
4.a.3 XP, IE8 Up to date, Flash 13.0.0.182, Java 7.0.21, Adobe Reader 9.3.0.148
![]() |
| Flash Pack trying CVE-2014-0497 (that wouldn't strike in that config anyway) and CVE-2013-2465 or 2471 |
![]() |
| FlashPack Java exploit intercepted by MBAE |
Off Topic : We escaped Glupteba (as expected from the Flash Pack thread owned by Windigo guys)
abf7690306b1d3782a0a8b43da70ec464.b.1 Win7 x64 CVE-2014-0322 vuln, Flash 12.0.0.44, Silverlight 5.1.10411.0, java7u25
Once again first pass made Browser crash.
![]() |
CVE-2014-0322 and CVE-2013-0074/3896 fired...But not need for AntiExploit
In that case as browser Crashed (4.b.1.a) |
I made 3 pass. Each time Crashing. So at that time i decided to add a config b.2 based on win7x32
4.b.2 Win7x32 IE10 CVE-2014-0322 vuln, Flash 12.0.0.38, Silverlight 5.1.20513.0, Adobe Reader 11.0.01
![]() |
| IE Crashed again... |
![]() |
| Pass 4.b.2.a |
Same with pass 4.b.2.b on the Windigo Flash EK instance.
4.b.3 Win7x64 , Flash 13.0.0.182 (CVE-2014-0515 vulnerable)
I added that config since this exploit kit is becoming mainstream.
![]() |
CVE-2014-0515 pass (the EK also tries to fire CVE-2014-0322)
2014-06-06 |
MBAE stopped it again :
![]() |
| Alert and logs from MBAE after CVE-2014-0515 try. |
5 - MBAE vs Magnitude (top-exp)
5.a.2 XP, IE8 (CVE-2013-2551 vulnerable), Java 7.0.07, Adobe Reader 9.3.0.148
![]() |
| Magnitude vs MBAE, last line is payload from Java. |
![]() |
Logs showing the jar payload blocked and CVE-2013-2551 intercepted
(Magnitude 2014-04-28) |
Off topic : We escaped that payload :
69c737cabafceb7fe4a62ffba7518164 (Simda)
5.a.3 XP, IE8 Up to date, Flash 13.0.0.182, Java 7.0.21, Adobe Reader 9.3.0.148
In that config no exploitation :
![]() |
| Java from Magnitude blocked by Java Settings in pass 5.a.3.a |
I made another pass lowering those settings from High to medium
![]() |
| I choose to accept the risk and run but no exploitation |
![]() |
| Pass 5.a.3.b (no exploitation...no need for MBAE there) |
5.b.1 Win7 x64 CVE-2014-0322 vuln, Flash 12.0.0.44, Silverlight 5.1.10411.0, java7u25
From what i know there is no code there to exploit that config but i made a pass anyway for confirmation.
![]() |
| Magnitude in that config is a "safe" place to be for now :) |
5.b.2 Win7x32 IE10 CVE-2014-0322 vuln, Flash 12.0.0.38, Silverlight 5.1.20513.0, Adobe Reader 11.0.01, Java6.u.45
![]() |
| Magnitude firing CVE-2013-2471 |
![]() |
| CVE-2013-2471 from Magnitude intercepted by MBAE |
Off topic: The blocked payload is :
7db42c47c357a798a4cca5f1489ffdd26 - MBAE vs Fiesta
6.a.2 XP, IE8 (CVE-2013-2551 vulnerable), Java 7.0.07, Adobe Reader 9.3.0.148
![]() |
| Mbae vs Fiesta |
![]() |
| Mbae wins again vs Fiesta in that configuration |
6.a.3 XP, IE8 Up to date Flash 12.0.0.38, Java 7.0.21, Adobe Reader 9.3.0.148
![]() |
| Fiesta is able to drop the encrypted payload but not executed |
I found the encrypted payload in ContentIE5 but no decryption/execution
6.b.1 Win7 x64 CVE-2014-0322 vuln, Flash 12.0.0.44, Silverlight 5.1.10411.0, java7u25
Once again Crash of IE block exploitation.
Won't make more tests with that Config. Have reported to the MBAE team that I had far more IE crash with MBAE than without ( the crash may be helped by MBAE combined to CVE-2014-0322....Note : usually i do not have crash but i get infected :) So crash is still better).
6.b.2 Win7x32 IE10 CVE-2014-0322 vuln, Flash 12.0.0.38, Silverlight 5.1.20513.0, Adobe Reader 11.0.01, Java6.u.45
![]() |
| Fiesta firing CVE-2014-0497 |
Successfully blocked by Mbae.
7 - MBAE vs GrandSoft
7.a.3 XP, IE8 (CVE-2013-2551 vulnerable), Flash 12.0.0.38, Java 7.0.21, Adobe Reader 9.3.0.148
![]() |
CVE-2013-5329 that can strike here...and no java Exploit...MBAE not needed here....
Another pass to be sure. Same. |
7.b.2 Win7x32 IE10 CVE-2014-0322 vuln, Flash 12.0.0.38, Silverlight 5.1.20513.0, Adobe Reader 11.0.01, Java6.u.45
![]() |
| Grandsoft firing CVE-2013-5329 (flash) and probably CVE-2013-2463 (java) |
![]() |
| Mbae Win (in background the Grandsoft Landing. |
![]() |
| Piece of the detailed logs |
8 - MBAE vs Sweet Orange
8.a.3 XP, IE8 (CVE-2013-2551 vulnerable), Flash 12.0.0.38, Java 7.0.21, Adobe Reader 9.3.0.148
![]() |
| Sweet Orange firing Java Exploits (here probably CVE-2013-2460 striking) |
![]() |
Infection would work without prompt...
MBAE win again. |
8.b.2 Win7x32 IE10 CVE-2014-0322 vuln, Flash 12.0.0.38, Silverlight 5.1.20513.0, Adobe Reader 11.0.01, Java6.u.45
![]() |
| First pass (8.b.2.a ) - CVE-2014-0497 is Fired. IE goes in non responsding state. |
Second Pass (8.b.2.b) : the same.
I disabled MBAE to see ..
![]() |
| No MBAE : IE responding..and VM infected 8.b.2.c |
In that case I would say it's half a victory. No infection with MBAE but no Alert, no Logs. User may wonder what happened. I reported to MBAE team.
9 - MBAE vs HiMan EK
Sadly no active HiMan that I am aware of in the last month.
[...]
Malwarebytes has integrated the feedbacks in MBAE 1.03.1.1000 built :
![]() |
| MBAE 1.03.1.1000 |
( A new "Buy Now" button appeared. I asked about the differences with the Free version : in licensed mode MBAE will also protect against standalone exploits in PDF readers, MS Office Word, Excel, Powerpoint, media players as well as custom shields for user defined application).
I made a try to see if the minor issues spotted in previous version were fixed and also to check it against RIG (which should not be a problem as it's a rip of Infinity) and GonDad.
So on Sweet Orange the problem spotted has been fixed : IE is not hanging anymore and an alert is being shown
8.b.2.c Win7x32 IE10 CVE-2014-0322 vuln, Flash 12.0.0.38, Silverlight 5.1.20513.0, Adobe Reader 11.0.01, Java6.u.45
![]() |
Sweet Orange trying CVE-2014-0497. IE reload. No infection and alert for Mbae 1.03.1.1000
Pass: 8.b.2.c |
![]() |
| Alert on Sweet Orange infection attempt |
10 - MBAE vs Styx
11.a.1 XP, IE8 (CVE-2013-2551 vulnerable), Java 7.0.07, Adobe Reader 9.3.0.148, Flash 11.5.502.146
![]() |
| Styx 2014-05-31 - 4 attemps (due to IE setting : reload on crash) of CVE-2013-2551 and Flash exploit (likely CVE-2013-0634) |
10.b.1 Win7 x64 CVE-2014-0322 vuln, Flash 12.0.0.44, Silverlight 5.1.10411.0, java7u25
![]() |
| Styx pass 10.b.1 with an IE Crash just before the flash Exploit |
Once again no infection and correctly alerted by Malwarebytes Anti-Exploit
10.b.2 Win7x32 IE10 CVE-2014-0322 vuln, Flash 12.0.0.38, Silverlight 5.1.20513.0, Adobe Reader 11.0.01, Java6.u.45
![]() |
| Styx Firing now Silverlight exploit |
![]() |
| Caught by Mbae again |
11 - MBAE vs RIG
11.a.1 XP, IE8 (CVE-2013-2551 vulnerable), Java 7.0.07, Adobe Reader 9.3.0.148, Flash 11.5.502.146
![]() |
| RIG vs MBAE 2014-05-22 |
![]() |
| MBAE vs Rig first pass : Mbae win. |
10.b.1 Win7 x64 CVE-2014-0322 vuln, Flash 12.0.0.44, Silverlight 5.1.10411.0, java7u25
![]() |
| RIG firing CVE-2014-0322, CVE-2014-0497 and CVE-2013-0074/3896 |
![]() |
| Intercepted by MBAE |
11.b.2 Win7x32 IE10 CVE-2014-0322 vuln, Flash 12.0.0.38, Silverlight 5.1.20513.0, Adobe Reader 11.0.01, Java6.u.45
![]() |
| CVE-2014-0322 - CVE-2013-0634 (!?) and Silverlight Exploit fired by RIG 2014-05-22 |
![]() |
| and blocked by mbae |
12 - MBAE vs Gondad
12.a.1 XP, IE8 (CVE-2013-2551 vulnerable), Java 7.0.07, Adobe Reader 9.3.0.148, Flash 11.5.502.146
![]() |
| Gondad 2014-05-22 |
![]() |
| CVE-2013-0634 in Gondad successfully blocked by MBAE |
12.b.1 Win7 x64 CVE-2014-0322 vuln, Flash 12.0.0.44, Silverlight 5.1.10411.0, java7u25
![]() |
| Only landing.... |
Config not vulnerable...Nothing to see on MBAE side.
12.b.2 Win7x32 IE10 CVE-2014-0322 vuln, Flash 12.0.0.38, Silverlight 5.1.20513.0, Adobe Reader 11.0.01, Java6.u.45
Config is not vulnerable. Nothing to see.
Conclusion
Malwarebytes Anti-Exploit is working as expected against all widely used exploit kit. It works on Java exploit where Emet wouldn't. This product sounds like a good additional layer against unpatched ("0day") exploit as well even if I have some doubts on his ability to stop Kernel level exploit.
