The drive-by download - or Remote Code Execution attack - evokes fear in many people. The theory is that a web page or an application can contain code to download a trojan executable by just visiting the web page, or by running a specially crafted file in the vulnerable application. Some recent attacks use applications such as Flash, mp3 players, Quicktime, pdf readers, MSWord. Web page attacks use i-frame and scripting to trigger the attack. Other attacks have come via USB devices - the U3 type of smartdrive or pendrive, and the digital picture frame, which is just a U3 USB device with photo software installed. These use the autorun.inf file as the triggering mechanism. Of course, we hope that our browser is tweaked, our autorun disabled, our applications patched before attacks surface in the wild. But today's technology provides a stopgap to anything that slips by that part of the defense. There are many solutions to preventing unauthorized executables from installing or running, and I decided to create a list. The idea came from another thread where a trojan exploit was tested on a number of products - aigle testing 6 or 7 himself. Since then, I've contacted a few others and have posted all the results on my web site. I would like to add more, so, those with products other than the ones on the list can try their own remote code execution test. To be included, you must post a screen shot of the alert message that pops up when you run the test. Note that I have not used the term "malware" - rather, "unauthorized executable" which I define as Any executable not already installed on your computer. This takes care of unauthorized installation of software by other users on a single computer, where parents or an administrator control what gets installed. There are two tests. The first is a remote code execution exploit embedded in a web page. It attempts to download an executable file, then copies the file to %temp% as svchost.exe and then execute it. It's a common technique for installing trojans. Unlike the test in the other thread, I have used a clean file - win32pad.exe - a freeware notepad replacement. This is so that those who are not set up to test malware can test their product. The download is from the author's site: http://www.gena01.com/ If you download from the site, you will get the normal Download Prompt: __________________________________________________________ But if you go to the web page on my server, the download will bypass the Prompt Box: hxxp://www.urs2.net/rsj/computing/tests/8js/happy1.html This exploit requires IE6. For those for whom this won't work, you can do another remote code execution test which utilizes the AutoRun.inf file as the trigger. You will have to enable autorun for this in order to test the execution prevention feature of your product. This will simulate any type of remote code execution attack. 1) Create an autorun.inf file on a USB device to install an executable not already on your computer -or- 2) Use an installation CD. In both cases, the attempt to install should be blocked. (See the UAC example) Some of the solutions tested are stand-alone products. Some have other features, such as a firewall, HIPS actions. For this, I am interested only in the prevention-of-installation feature. Note that I use the word "solution" rather than "product" because two solutions are incorporated into the Operating System: Software Restriction Policies (SRP) for WinXP-Pro, and User Account Control (UAC) for Windows-Vista. I wanted to include Limited User Account (LUA) but after testing, I find ways to download/run programs without any alert. With respect to malware, there are other issues covered in the other LUA threads. So, I cannot recommend LUA alone as being reliable against the downloading/running of unauthorized software. I have not included Sandbox types of applications because they contain the exploit if it should run. I'm interested in preventing the exploit from being allowed to start. Here are the screen shots of the solutions tested so far: http://www.urs2.net/rsj/computing/tests/srp1 The next post will contain a ready reference list of the solutions tested so far. I will add to it as others come in. Happy testing!