Do I need ThreatFire? That’s a fairly common question on security forum boards. Yes, systems need a protective behavioral layer like ThreatFire next to an AV scanner, current built-in OS security functionality, and a firewall.
Not only do AV scanners have a difficult time keeping up with malware volume from the underground undetectables marketplace, but client side exploit activity, especially those attacking the most popular web browsers and third party plugins, is in extremely high volume. The obfuscation and variety in web based exploits often lead to an even lower detection rate here.
One of our first posts titled “How do Storm, NotFound and other threats infiltrate so many PC’s?” from August 2007 detailed a Windows structured exception handler overwriting technique that has been commonly abused over the past few years. It is something commonly seen in the attacks prevented by ThreatFire.
Matt Miller, who used to go by “skape” and rode alongside H.D. Moore of Metasploit fame, recently posted on a new functionality designed to combat this sort of reliable attack technique in the future. A new “Structured Exception Handler Overwrite Protection”, or SEHOP, will replace previous attempts (SafeSEH) at combating the technique. In other words, SEH continues to be bashed in the wild, even with the availability and efforts behind SafeSEH.
Interestingly, data supporting the need for SEHOP was based on the percentage of exploits in the Metasploit project that abuse SEH (that number is approximately 20%) and not on exploits observed in the wild.
So, will SEHOP have an impact on the future of client side exploits? Possibly, and more likely, it will have an impact on exploit and shellcode development. We have seen fantastic security attempts like much needed memory space randomization (ASLR) implemented, but even that effort was quickly smashed by the likes of talented researchers Mark Dowd and Alexander Sotirov. Granted, tricks were used to abuse various components released and implemented by default in the browser and OS. But that’s how the exploit market (black, grey, white hat) works. Underlying complexities in massive software projects facing deadlines to market, competitive pressure, and the need for powerful, flexible computing functionality often push software out the door with uncertain results. Creative new talent will continue to take advantage of the uncertainties inherent in this environment, even with creative talent implementing new protective features.
Yes, you need a behavioral layer like ThreatFire, now and for the foreseeable future.