Blocking Drive-by Downloads

The drive-by download - or Remote Code Execution attack - evokes fear in many people.

The theory is that a web page or an application can contain code to download a trojan executable by just visiting the web page, or by running a specially crafted file in the vulnerable application.

Some recent attacks use applications such as Flash, mp3 players, Quicktime, pdf readers, MSWord.

Web page attacks use i-frame and scripting to trigger the attack.

Other attacks have come via USB devices - the U3 type of smartdrive or pendrive, and the digital picture frame, which is just a U3 USB device with photo software installed. These use the autorun.inf file as the triggering mechanism.

Of course, we hope that our browser is tweaked, our autorun disabled, our applications patched before attacks surface in the wild.

But today's technology provides a stopgap to anything that slips by that part of the defense.

There are many solutions to preventing unauthorized executables from installing or running, and I decided to create a list. The idea came from another thread where a trojan exploit was tested on a number of products - aigle testing 6 or 7 himself.

Since then, I've contacted a few others and have posted all the results on my web site. I would like to add more, so, those with products other than the ones on the list can try their own remote code execution test.

To be included, you must post a screen shot of the alert message that pops up when you run the test.

Note that I have not used the term "malware" - rather, "unauthorized executable" which I define as

Any executable not already installed on your computer.​

This takes care of unauthorized installation of software by other users on a single computer, where parents or an administrator control what gets installed.

There are two tests.

The first is a remote code execution exploit embedded in a web page. It attempts to download an executable file, then copies the file to %temp% as svchost.exe and then execute it. It's a common technique for installing trojans.

Unlike the test in the other thread, I have used a clean file - win32pad.exe - a freeware notepad replacement. This is so that those who are not set up to test malware can test their product.

The download is from the author's site:

http://www.gena01.com/

If you download from the site, you will get the normal Download Prompt:


__________________________________________________________

But if you go to the web page on my server, the download will bypass the Prompt Box:

hxxp://www.urs2.net/rsj/computing/tests/8js/happy1.html

This exploit requires IE6. For those for whom this won't work, you can do another remote code execution test which utilizes the AutoRun.inf file as the trigger. You will have to enable autorun for this in order to test the execution prevention feature of your product. This will simulate any type of remote code execution attack.

1) Create an autorun.inf file on a USB device to install an executable not already on your computer

-or-

2) Use an installation CD.

In both cases, the attempt to install should be blocked. (See the UAC example)

Some of the solutions tested are stand-alone products. Some have other features, such as a firewall, HIPS actions. For this, I am interested only in the prevention-of-installation feature.

Note that I use the word "solution" rather than "product" because two solutions are incorporated into the Operating System: Software Restriction Policies (SRP) for WinXP-Pro, and User Account Control (UAC) for Windows-Vista.

I wanted to include Limited User Account (LUA) but after testing, I find ways to download/run programs without any alert. With respect to malware, there are other issues covered in the other LUA threads. So, I cannot recommend LUA alone as being reliable against the downloading/running of unauthorized software.

I have not included Sandbox types of applications because they contain the exploit if it should run. I'm interested in preventing the exploit from being allowed to start.

Here are the screen shots of the solutions tested so far:

http://www.urs2.net/rsj/computing/tests/srp1

The next post will contain a ready reference list of the solutions tested so far. I will add to it as others come in.

Happy testing!

 

The following solutions have been tested:

Software Restriction Policies (Win-XP)
User Account Control (Vista)
Process Guard
Anti-Executable
Comodo with Defence+
Online Armor
Geswall
EQSecure
Neoavaguard
HauteSecure
SafeSpace
Threatfire
​

And here are screen shots of the results:

http://www.urs2.net/rsj/computing/tests/srp1

--

 

Use Firefox and install the addons NoScript and Adblock Plus

 

He is not asking for suggestions, he is detailing a test procedure for anyone interested.

BTW, as stated by Rmus, the test doesn't work with Firefox (just tried).
I also tried with IE6 and nothing happened. Just a blank page, no download.
I have no extra security in IE6, other than SBIE.
Changed security settings to "low" on IE and disabled all protection on SpywareBlaster. Still no download.

 

RAV's IE script blocking module

 

Try either a USB or CD test to see if there is an alert.

 

Interesting alert!

What is RAV?

Also, can you send me a copy of that .tmp file?

thanks.

 

Haven't an USB with me ATM, but I have seen before what happens (IF autoplay is enabled).

SBIE lets the executable run, no alert, but contains it.

Maybe I'll do some tests later and post some screenshots.

 

Rising AntiVirus which I have installed with just the Active Defense (HIPS) modules and the IE script blocking module, not the other file monitor modules. Had Returnil active and rebooted already but I have redone the test and script blocker performs as earlier and auto-quarantines the temp file. Will try to send you the quarantined file in a bit. Yahoo blocking my file attachment pffftt!

 

and did these solutions pass the test ??

 

It took a while to sort this out. Running without the IE script blocking module, the exploit still did not run, and we determined it was because his IE is updated which includes patching for the MS06-014 exploit which I used.

___________________________________________________________​

My reasons for this test are two:

First, to determine which solutions are true Default-Deny, meaning that the user cannot proceed with the installation without contacting the administrator. According to the screenshots, only Software Restriction Policies and Anti-Executable fall into this category. All others let the user make a decision to continue or not.

Second, to determine which have Copy Protection. I used the MS06-014 exploit which downloads an executable, copies it to the temp folder as svchost.exe, and then executes it. By looking at the screenshots of the alerts of the various products, I can see which if any provide true Copy Protection, where the executable does not download to the computer. Only Anti-Executable provides this. The others blocked the exploit at the point at which svchost.exe attempts to run.

--

 

Hi Rmus, I really enjoyed the previosu drive-by download. I will love to have some more live exploits if there are any.

Thanks

 

Re https://www.wilderssecurity.com/showthread.php?t=214600 locked thread by Bubba and suggested that enquiry/reply be posted in this topic and with Rmus consent

In short it is a big yes in your case when by practice you deny all new executables from running.

Lets squash some misgivings with what is termed an out of date software.

The solution/approach it is used for is no way outdated and since there exists no malware that can affect a live infection without executing code into memory then the executable control solution is still 100% solid

It would take an error by user to permit malicious code to execute inorder for it to be bypassed and the compromised system to potentially become infected.

The misunderstanding...

Will PG block exploits from firing ?

In short no it is not designed nor claimed to block the delivery mechanism!

Files can be written to disk and in some cases startup values for the payload can be created in the registry but at the end of the day these are not part of an active infection until the malware code imported is allowed to execute

Will PG block a driveby infection ?

In short as long as the user denies any new executable captured then it is impossible for an infection to go live on that computer!

Right using current live offending url **cracks.com and unpatched IE6 as browser for the sake of triggering exploits hosted at that url.Here's what happens within seconds of opening the url.



Deny rule selected=



Reality is that the trojan downloader that is the payload of the exploit hosted at the compromised url is stopped in its tracks.Since it cannot execute then it can not infect the system

 

There are plenty of ways to block drive-by downloads.

I would just want to mention an impopular program on this forum:

the Spy Sweeper (version without antivirus)

It's internet communications shield has protected me many times.

Maybe it's not the best setup, but it has never let me down.

'if it ain't broken, don't fix it'

 

Thanks fcukdat for that graphic demonstration!

--

 

Indeed there are!

And two solutions are built in to the Operating Systems, requiring no additional software:

XP-Pro -- Software Restriction Policies

Vista -- User Account Control

 

And thanks again for your tests.

I find URLs by watching malware sites, hijack forums, and often, in sans.org diaries.

After awhile you realize that the end result is always the same. What fcukdat wrote about PG applies equally to the other solutions;

What is interesting these days is the type of exploit used as the trigger. For instance,

Unpatched Word Vulnerability
http://isc.sans.org/diary.html?storyid=4696

You will notice the payload: Trojan-Dropper

Other applications/plugins exploited by buffer overflow include Flash, .pdf files, Quicktime, .mp3, and many more.
All of the analyses I've seen of attacks show the same type of payload.

While not specifically a drive-by attack as fcukdat just showed, nonetheless they are remote code execution attacks triggered as the user opens the infected file in the specific application/plugin.

All such attacks are stopped from executing by any of the solutions shown in the screenshot results I posted.

This is not to say that you don't need to patch your appplication or plugin. But it is to say that you are protected from this type of attack in case you encounter such a specially crafted malicious file, as you await the patch/updatefor the vulnerability.

--

 

Also, don't underestimate a patched browser/OS.
I've been spending the last half hour on the darkest site of the net, just happy-clicking on EVERYTHING, with IE6 and not a single drive-by download yet.

 

What setting is IE on ?

 

Default. Havent touched it, since I barely use it for ms updates. Just sandboxed.

I'll do a test, will trust fcukdat's url, to see what happens.

EDIT: again, nothing happened. No .exe inside the sandbox

 

This is certainly true.

For my purposes here, I'm a bit more inclusive, as I mentioned in the first post:

 

fcukdat,
Thank You--This is exactly what I was looking for.

One question about Software Restriction Policies....do I have to enable this or is it already?

With this enabled, I do not need PG as all executables will prompt me before download when visiting a drive by download site?

Thanks in advance,
Toby

 

This article is a good starting point:

Using Software Restriction Policies to Protect Against Unauthorized Software
http://technet.microsoft.com/en-us/windows/aa940985.aspx

Also this. Note the paragraph on SRP part way down the page:

Mark's Blog
http://blogs.technet.com/markrussin...umventing-group-policy-as-a-limited-user.aspx

--

 

SRP is a DEADLOCK! I just found that out recently, and to think it's been there all along.

 

Sadly my laptop came with XP home, so no SRP for me
Is there a way to workaround this?