Automatic Exploit Prevention against targeted attacks

January 14, 2014

The Problem

One of the most effective and dangerous ways to run malicious software on a victim’s computer is by exploiting vulnerabilities in popular applications or within the operating system. The greatest threats are the so-called zero day vulnerabilities – the flaws in software, for which the manufacturer has not yet released an update to fix the problem.

To infect the system through a vulnerability, criminals often resort to mass communications via email and social networks. This type of message usually contains a link to an infected web page or a specially prepared document, the opening of which launches malicious code. In most cases, the attackers use popular software under MS Windows as doorways that provide them with the greatest number of potential victims. Handling the threat requires complex security measures at a highly technological level. That is why Kaspersky Lab has developed a new technology called Automatic Exploit Prevention designed to combat the most challenging type of threats – the exploitation of vulnerabilities.

diagram

Evolution of malware distribution methods

The Solution

The Automatic Exploit Prevention technology (AEP) included in Kaspersky Small Office Security is designed to protect against malicious software that exploits vulnerabilities in programs and the operating system. This technology protects your workstation from malware that attackers put on various popular web resources.

The analysis of the behavior of existing exploits and information about the applications that are most exposed to malicious attacks gives KSOS special control over such applications. As soon as one of the programs at risk have tried to run a suspicious code, the procedure is aborted and the test starts. Running an executable code may be quite legitimate. For example, a program can request updates from its developer. To distinguish normal activities from infection attempts, the new Kaspersky Lab technology uses the information about the most typical behavior of the known exploits. The characteristic behavior of such malicious programs helps to prevent infection even in the case of a previously unknown zero day vulnerability exploit. Exploits quite often preload files prior to directly contaminating the system. Automatic Exploit Prevention monitors programs appealing to the network and analyzes the source files.

In addition to AEP technology to combat threats from infected web resources, KSOS possesses tools to deal with web-infected workstations. One of these methods is referring to the updated database of trusted domains – the web resources, which during long term Kaspersky Lab observations, have not encountered any cases of infection and malware distribution. This list does not just include the sites of the manufacturers of legitimate software, but the sites of distributors, too – file collection that was not recorded cases of malicious software. If one of these sites has reported spreading malicious code, it is immediately removed from the database of trusted domains, which can significantly reduce the probability of a malware infecting users’ computers.

Combined with traditional methods of protection, like filtering through our database of trusted domains in AEP, the KSN cloud has even greater potential to repel attacks.