本帖最后由 驭龙 于 2016-2-1 09:27 编辑
还记得我之前因为看到HitmanPro.Alert开发者说Norton 22.5.4使用特殊技术复制NTDLL API函数的帖子吗?当时我怕别人说我黑诺顿,把帖子锁了,然而我今天我发现了不可思议的事情,难怪当初HitmanPro.Alert的神牛贬诺顿,现在我终于明白了。
因为Symantec在发布Norton 22.5.4的时候,带来了全新的防Zero Day技术,也就是名为Proactive Exploit Protection的全新保护架构,这也就是之前为什么会有神牛发飙的情况出现了吧?
官方在前几天终于介绍了全新的Proactive Exploit Protection 保护架构的技术细节了,让我们看一下官方原文吧,机器翻译以后就变味了,所以还是看英文原文吧。
https://community.norton.com/zh-hans/node/1314921
Norton Security customers (and, in fact, anyone running Norton’s Windows client – 22.5.4 or newer) benefit from the introduction of a new protection framework called Protective Exploit Protection (PEP) that aims to better protect Windows devices from so-called “zero-day” attacks – attacks that attempt to exploit undiscovered and unpatched holes (or vulnerabilities) in Windows applications or in the operating system itself. PEP features three powerful protection techniques that will stop several types of prevalent zero-day attacks in their tracks.
A quick primer on the ‘zero-day’ ecosystem
Frequently, a security researcher or ethical hacker will discover a vulnerability in software they’re studying. They will then notify the affected software vendor and work with them to ensure a ‘patch’ is issued that resolves the underlying vulnerability. If, however, malicious attackers discover the vulnerability first, they may write code that can exploit the vulnerability in an attempt to gain unauthorized remote access to devices running the vulnerable software.
In the last couple years, we’ve seen a significant increase in the number of zero-day exploits being used in Internet attacks. There are a number of factors at play here, but our research leads us to believe that a significant driver of the recent uptick in zero-day exploits is due to an increasing level of cooperation and professionalization among attackers who are eager to exploit these vulnerabilities for profit.
Zero-day exploits: Increasing in frequency and impact
Number of zero-day vulnerabilities
 Source: ISTR Internet Security Threat Report, Symantec 2015
How long are zero-day vulnerabilities typically exposed?
Our analysis shows that for the top five zero-day attacks that spread in 2014, it took software vendors an average of 59 days post-attack just to make a software fix available to their customers. That figure does not include either the time, up front, that those vulnerabilities stood undiscovered on people’s devices (typically months and even years in some cases), or the additional time necessary for people to actually apply the respective fixes.
Average Time to Patch Top 5 Zero-Day Vulnerabilities
Average patch time for top 5 zero day vulnerabilities in 2014 - 59 days
What can Proactive Exploit Protection do to protect against the threat of zero-day attacks?
Norton’s Proactive Exploit Protection technology works by recognizing a range of malicious behaviors that are common trademarks of zero-day attacks and subsequently blocking only software that exhibits those specific behaviors. One of the most exciting aspects of this approach is that it provides protection against attacks the moment vulnerable software is deployed, not if and when a vulnerability is eventually discovered or attacked. This is significant, because as it turns out, most zero-day attacks take advantage of vulnerabilities that have existed for many months and in some cases years without having been previously discovered.
How can Proactive Exploit Protection achieve better protection in the real-world?
Let’s take the example of a recent zero-day attack called Operation Pawn Storm that propagated earlier this year and which took advantage of a zero-day exploit in the widely deployed Java software environment.
To achieve its goal, the Operation Pawn Storm attack exploited a vulnerability in Java to disable a component known as the Java Security Manager. While Norton customers were protected relatively quickly in this case (about a day later), non-Norton customers running Java had to wait another two days until Oracle (the company that develops Java) issued a patch to protect Java customers from the Operation Pawn Storm attack. Unfortunately, many Java users remained unprotected even months later due to the somewhat hit-or-miss way in which people apply available software updates.
PEP’s Java protection technology aims not only to eliminate any lag time to protect our customers, but to further provide complete protection against the exploitation of Java zero-day attacks by blocking any code that attempts to disable the Java Security Manager, regardless of which novel vulnerabilities criminals discover in the future.
Operation Pawn Storm Timeline
Heap Sprays and Structured Exception Handlers
Beyond Java attacks, malware authors have focused on two other common attack categories in the past few years. Heap spraying refers to an attack that attempts to insert malicious code in pre-determined memory locations in the hope that it will be executed by a vulnerable application (typically a web browser or browser plug-in). Accordingly, PEP includes a heap spray prevention module that, in essence, pre-populates certain memory locations with benign code, effectively blocking such attacks from using those memory locations for nefarious purposes.
PEP also features a technique called Structured Exception Handler Overwrite Protection. As its name suggests, PEP will prevent malicious code from overwriting special Windows routines called Structured Exception Handlers, which are designed to tell a Windows PC what to do in case an exception (or unexpected event) crops up while running an application. An exception can be triggered by a number of irregular occurrences like a call to divide by zero or an attempt to access an invalid memory address. Windows maintains a set of unique ‘handler’ routines for each category. Unfortunately, clever attackers have figured out ways to hijack this exception handling mechanism by employing a three step approach:
- Write malicious code into a memory location.
- Overwrite Windows’ Structured Exception Handler routine for a particular exception (for example, an access violation) so that it now points to that malicious code.
- Trigger the appropriate exception so that Windows will reference the overwritten handler routine and be tricked into running the malicious code.
In this way, attackers in the past have been able to gain complete remote control of devices without the user doing anything more than navigating to a particular (hacked or malicious) website. PEP’s protection strategy here is simple: Watch for and prevent applications from overwriting Windows’ Structured Exception Handlers. In this way, PEP can protect against a large range of zero-day attacks that utilize this approach.
The promise that Proactive Exploit Protection holds
PEP is an exciting new framework that provides key advantages for Norton customers, enabling them to move from what could previously be deemed fast time-to-protection, to instant proactive protection that hardens a system, virtually patching underlying vulnerabilities even before they’ve been discovered. What’s more is that because of the nature of this behavior-based system, it does not rely on signature updates to remain effective. In a world where vulnerabilities sit unpatched and undiscovered for months or years and zero-day attacks are increasingly common, PEP is an important layer of protection that we believe will have a significant positive impact on our customers’ digital lives.
我在Norton的相关驱动中真的找到了PEP的相关代码,看来Symantec真的已经把PEP应用到Norton中有一段时间了。
相关代码:
Dll Injection Crash Threshold
Dll Injection Crash Monitor Enabled
Https Browser Hooks Enabled
PEP Global Techniques App-Opt
PEP Global Techniques State
PEP Default Application Rules Enabled
Proactive Exploit Protection Enabled
Java Process Protection Enabled
提醒一下各位,关闭IPS以后,就不要测PEP了,因为PEP是Intrusion Prevention System之下的功能,关闭IPS就不会有PEP了。
PS:我安装诺顿以后,本准备安装一款Exploit Prevention软件的,现在看来是不需要了,我还是单奔Norton吧,反正Norton拥有了全新的PEP技术,虽然不知道真正的效果怎么样,我个人是不再担心Norton的防Exploit问题了。
|
发表于 2016-1-31 19:17:10
楼主