X

Malwarebytes: With Anti-Exploit, we'll stop the worst attacks on PCs

Launching its new Anti-Exploit software, Malwarebytes sets out to seal up the most-feared security gaps in browsers, PDF readers, Java, and Microsoft Office.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
See full bio
Seth Rosenblatt
3 min read

20140610-malwarebytes-marcin-pedro.jpg
Malwarebytes's director of special projects, Pedro Bustamante (left), and CEO Marcin Kleczynski think they've got a way to stop exploits on Windows. Seth Rosenblatt/CNET

Imagine a world where attackers seeking to gain access to your computer are stopped before they can use your technology against you.

That world doesn't exist yet, but it took a giant step closer to reality with Malwarebytes Anti-Exploit, a new security program for Microsoft Windows released Thursday. The software, which aims to protect users of the world's most popular operating system software, is powered by exploit-blocking technology that Malwarebytes acquired last year when it bought ZeroVulnerabilityLabs.

By Microsoft's tally, 1.3 billion people use some version of Windows every day.

The free version of Anti-Exploit will protect against exploits in browsers, their add-ons, and Java, while the $24.95 premium version will also work in Microsoft Office, PDF readers, media players, and software selected by the owner. Anti-Exploit for Business works in conjunction with the Malwarebytes Management Console for enterprise deployment.

Malwarebytes CEO and founder Marcin Kleczynski said that businesses will want to invest in Anti-Exploit as an extra layer of protection against the kinds of attack methods central to the major hacks of late.

Anti-Exploit is "not about the product. It's about the problem," Kleczynski said during an interview at Malwarebyte's office in San Jose, Calif. "Sometimes it catches the exploit so early we can't show the alert" that it has stopped an attack.

If it works as advertised, Malwarebytes Anti-Exploit would be remarkable for preventing zero-day vulnerabilities -- previously unknown, unpatched software flaws -- from being exploited to steal data or gain control of your computer. Exploits that launch malicious code on your computer, known as remote code execution, combined with zero-day flaws have been successful in targeting massive multinational corporations, financial institutions, and critical infrastructure, as well as private individuals.

Remember the Windows XP bug earlier this year that was so dire the US and UK governments warned people to stop using Internet Explorer? That involved a zero-day vulnerability.

Pedro Bustamante, director of special projects at Malwarebytes, said that even the beta version of Anti-Exploit that's been available for the past year has had a nearly flawless record.

"Not a single zero-day has gotten through since the first beta, which let three vulnerabilities through. Even year-old versions" have protected against exploits attempting to use new zero-days, he said.

The beta has been running with "tens of thousands" of users, Kleczynski said.

He explained the difference between Anti-Exploit and his company's flagship product, Malwarebytes Anti-Malware: where Anti-Malware stops the final payload at the end of the attack, Anti-Exploit plugs up the way that payload gets delivered.

malwarebytes-anti-exploit-test.png
A screenshot from exploit expert Kafeine's report on his tests of Malwarebytes Anti-Exploit. Kafeine/malware.dontneedcoffee.com

"It detects exploits because it looks at exploit-like behavior," Bustamante said. It blocks attempts to bypass the operating-system level security, protects against exploits executing from the computer's memory, and halts payloads that can install malware. Worried about giving away the keys to kingdom, Bustamante wouldn't go into further detail on how Anti-Exploit works.

ZeroVulnerabilityLabs introduced the technology in Anti-Exploit as ExploitShield two years ago. At the time, Bustamante -- who co-founded ZeroVulnerabilityLabs -- said, "It is not blacklisting, not whitelisting, and not sandboxing. We call it 'application shielding.'"

This sounds similar to Microsoft's exploit-blocking Enhanced Mitigation Experience Toolkit, or EMET.

"EMET is still in technical preview, and it's complicated as hell" to run, said Kleczynski said. As anyone running Windows with a third-party security suite knows, it wouldn't be the first time that Windows security was better handled by outside sources. Kleczynski asserted that EMET is "allowing through a lot of junk."

To support claims about his own product, Kleczynski hired the independent exploit analysis expert known as Kafeine to try to break the software. Anti-Exploit was able to stop Kafeine in every test he ran, more than 30 times over two months.

"Malwarebytes Anti-Exploit is working as expected against all widely used exploit kits. It works on Java exploit where EMET wouldn't," Kafeine concluded in his report. He added that Anti-Exploit defeated all 11 of the most commonly-used exploit kits, which are complete software packages to exploit a computer, and all 14 of the most commonly seen exploits. It also protected five of the commonly attacked software programs.

In 2012, Bustamante predicted to CNET that the technology behind Anti-Exploit would be at the vanguard of a new breed of security software. That claim has yet to bear fruit. But as remote code exploits continue to allow successful attacks and as Microsoft attempts to walk away from the notoriously hole-riddled Windows XP, businesses and individuals could end up turning to Anti-Exploit to reinforce their armor.