Get hacked on the fly

Here is a little movie of a so called "drive by" attack, they demonstrate how you can get infected with a rootkit just by visiting a malicious website. Now which tool could stop such an infection?

http://www.siliconvalleysleuth.com/2006/07/get_hacked_on_t.html

 

Any good HIPS like PG, SSM Ghoset Security suite or a good sandbox i think!

 

Yeah this was demonstrated on the "McAfee Avert Labs Day", but they don´t tell you how to stop this kind of stuff, at least not in this video. I wouldn´t be surprised if they also demonstrated how Mcafee AV could protect you from this.

But a good HIPS should be able to stop this stuff, would be cool if people actually tested tools like SSM, GreenBorder, ZA Pro etc. against these attacks. I´m also running all of my browsers in non-admin mode, I wonder if that would have also stopped the attack.

 

Hello,
Browsing in Firefox with Noscript.
And as to the last sentence in that article, don't say this cannot happen in Firefox ... I want one proof, ONE proof that demonstrates this. I say this cannot happen in Firefox.
Mrk

 

"This particular case was recorded late last year. It exploited a Javascript flaw in Windows XP and Internet Explorer that has since been repaired."

There's your answer.

There's nothing that can block a totally unknown flaw, but other measures like running with restricted rights, sandboxing, behavior blocking (execution control etc) can hopefully mitigate the damage and stop it before it can do anything serious. And of course if the flaw is known, signatures will detect it, or you can just patch.

But if you are looking for a solution that will stop unknown flaws 100% from even starting, you have a better chance looking for the holy grail.

 

Yes hopefully these measures (restricted rights, sandboxing, behavior blocking) will be able to stop malware from doing any damage, but really strange that no one is testing these tools against these exploits, must be easy to do right? At least you would get an impression of the effectiveness of the various protection methods.

 

Most of these exploits are not that interesting (from the point of view of someone like you who just wants to know if your software will protect them from the downsteam effects.) They tend to do pretty much the same stuff once it is past the inital stage, it's not really interesting, most of the time, you can just look up the analysis of what the malware does (what registry keys it changes, what dropper it starts, etc), look at what your security software does and doesn't allow and you pretty much know what will happen.

The simplest example is if you run a execution control type program, and if you see the malware will try to start some dropper, you know the rest.

Still, I'm not complaining if someone (even you) do the tests. It's easy according to you, and you are not a newbie, so you can do the tests.

Just keep your windows vm unpatched, go to a site which serves these exploits analyse what the malware does, and see if it works.

 

Well actually I would like to leave the testing to the pro´s. They have the knowledge and resources. For example, take Keylabs, would be cool if they tested other HIPS, but I guess their services are not free, that might be a problem. I´m also quite impressed with the tests done by kareldjag, but the problem is that he´s not testing these tools against zero day exploits, you might never know if HIPS will react differently when faced with "drive by" attacks.

 

You seem to be under the impression that Just because something is called "Zero day" it has magical powers.

Yes each exploit is different but the good thing about the protective stuff you are talking about, we don't usually care, how the exploit works, because it doesn't concern itself with stopping the initial vector, but what happens after.

I can't make myself clearer than that.

 

Your mind . Just be careful which sites you visit .

If someone is not sure for a site let him/her first update the resident protections and then use Google or McAfee's SiteAdvisor and check the page

 

@ DA

I understand what you´re saying, but like I said before, I wouldn´t be surprised if HIPS might have more difficulty trying to stop malware coming in via a flaw (buffer overflow or whatever) in Windows or another app (Office, Winamp, Acrobat, IE, FF etc.). For example, I tested ZA Pro against the WMF exploit, and I did get to see a couple of popup´s but it did not stop certain processes from launching. So I´m not sure if it would have stopped a real attack.

@ HiTech_boy

Of course, but this will not always save your ass, there is always a chance that you might end up on a malicious site, and don´t forget, sometimes legitimate sites get hacked also.