Jeff said:
Malwarebytes has got a thing called Anti-Exploit. What does it do and should
I buy it?
There is a free version.
The vendor website has a poor explanation of what it does.
Bleepingcomputer offers these tidbits.
http://www.bleepingcomputer.com/download/malwarebytes-anti-exploit/
"Blocks unknown and common exploit kits, including
Blackhole, Sakura, Phoenix, and Incognito
Doesn’t use a signature database—no need for constant updating
"
Sakuta apparently attempts Javascript in PDF attack or attack
on libTIFF if not patched. Windows has had a couple image decoder
attacks around for a while. You could patch out the image ones by
using Windows Update. The Javascript one is similarly easy to
deal with. The two steps I use for that, are change all Acrobat
settings to "Save As", no opening of PDFs from within a browser.
And secondly, going into Acrobat Reader preferences and disable
Javascript via the tick box. That should really be the shipping
default for Acrobat Reader, it shouldn't have been turned on in
the first place.
Some of the others, have Wikipedia articles.
http://en.wikipedia.org/wiki/Blackhole_exploit_kit
"A potential victim loads a compromised web page or
opens a malicious link in a spammed email.
The compromised web page or malicious link in the spammed
email sends the user to a Blackhole exploit kit server's landing page.
This landing page contains obfuscated JavaScript that
determines what is on the victim's computers and loads
all exploits to which this computer is vulnerable and
sometimes a Java applet tag that loads a Java Trojan horse.
If there is an exploit that is usable, the exploit loads
and executes a payload on the victim's computer and informs
the Blackhole exploit kit server which exploit was used to load the payload."
A combination of NoScript and uninstalling Java, would deal with some
aspects of that. Of course, legit pages won't load properly
if you stop their Javascript, so this solution is not without
side effects.
So I would say "it's doing something". The comments about
the initial beta release of the software weren't very good,
but I'm sure it's better by now.
If you're the kind of person who wildly clicks on everything
while surfing the web, then I guess this is the software for
you. If doesn't cover a lot of things, but then again,
it isn't an AV and doesn't conflict with them. If an exploit
does get through, the next step is downloading malware, and then
it's up to the heuristic detection of your AV, as to whether
a further infection occurs. Heuristic, because my assumption
is, an exploit kit connecting to a live web site, also gets
"fresh-daily" malware for downloading. Not stale stuff from
two years ago, that can be detected by signature.
Paul