Threat types are taken from a SANS Institute security paper here, which I've seen posted some time ago here but can't remember when or by whom, and posted recently by trismegistos - thanks! It's a report on the effectiveness of Application Whitelisting against common threats. Although this thread isn't aimed at dsicussing this approach, the paper pretty much confirms what I've thought about the benefits the whitelist approach can provide, even though it's far from perfect. BTW, I chose XSS (Cross Site Scripting).
I chose XSS as well. NoScript is the only one that really blocks all XSS but it does so in a way that'll cause incompatibility on some websites. Chrome's XSS auditor uses heuristics so that it can determine when it should/ shouldn't work - but this means there will be false positive/negatives. So without breaking the web things become much harder. Blocking drive by downloads isn't exactly 'easy' - you can't stop remote code execution bugs from being in your software. But it doesn't matter that much and it's easily mitigated in other ways like sandboxing. Fake/ Rogue AVs or other scamware is difficult to prevent on Windows. That's one of the ways I've been infected - I really don't care to be careful on the web. This is a close contender for the hardest to prevent - there's no tool that prevents infection when a user is determined to install a program.
Unless the attacker has local access, these should be easy to stop with a properly configured HIPS or anti-executable application. The paper's results prove the whitelist approach prevented it.
I don't see how a HIPS or AE would do anything. The assumption here is that I trust the fake AV/ scamware (otherwise there's no security software needed) and therefor I want it to execute. If I want something to execute an AE/HIPS won't stop me from doing it. An Antivirus might deter me if it tells me it's malicious, that's about it.
I definitely have to agree that these seem to be the hardest to stop. They are the bulk of my cleaning jobs any more. Why this is the case escapes me. I've been trying to figure out why someone would trust an "alert" from an AV that isn't installed and looks nothing like the resident AV. A few of my clients have fallen for these over and over, even though I've shown all of them what their own AVs alerts look like. I'm becoming convinced that computers, smart phones, the internet, etc are destroying what little common sense people have left.
Social engineering is pretty decent. I send a lot of emails that have a single word in the subject "weird" "funny" or whatever and then the subject is a link. I've seen spam emails look less spammy compared to what I send out. And if someone thinks they've got a virus it's going to be their typical confused self with the bonus of fear/ thinking they need to act quickly to remove threats.
Probably phishing/social engineering IMO, if the attacker has some knowledge of the target. XSS stuff is scary though. I've been hit by it (on Linux) once or twice, and as a result I'm now very careful about multitasking in my browser.
I LOL'ed. I answered Drive-By Downloads thinking the question was which type of attack was the most common but when i read it carefully it was the most difficult to prevent . . . Sorry, my real vote should've been "Cross Site Scripting or SQL Injection attacks"
I see your point, HM, if you're security-unaware about these threats, and especially the click-happy type of user who might easily panic at the presence of these fake av and install it, otherwise I can't imagine an experienced and security-conscious user like you or most everyone in these forums being fooled into installing them, although I could see the once-in-a-blue-moon successful infection against a security-aware user who's really having a bad day, fatigued, day dreaming, or drunk Agreed, if the user is in control, otherwise if someone else administrates the pc, and the targeted user is running as Standard, the HIPS/AE could stop them, as long as only someone else with Admin privileges has control of the security application. Very interesting and revealing feedback from someone with real world experience helping (and probably exasperated by by it LOL!) those victimized by these threats. I can't help but wonder, however, if the Rogue/Fake AV's are maybe the most prevalent threats, but not necessarily the hardest to stop. My point being, for us experienced/knowledgeable users, they are still probably easier to stop than XSS or 0 days, for example. For those type users you are helping, though, they would likely get just as easily infected, or more so, by any of the other threats as well, but maybe the Rogue/Fakes are the most common threat? Just a theory, although you'll know better than I. From what I've read about it, it is pretty scary stuff. It's caused me a lot of indecisiveness about which browser to settle on, switching back and forth between Chrome (because I like its untrusted IL renderers and its speed) or Firefox w/NoScript. Since I feel Firefox w/NS provides superior resistance to XSS threats, I have recently switched back to it.
Downloads are easily checked with AVs. social engineering can be beaten easily, depending on your alcohol intake. the only thing i worry about are browser exploits. NoScript takes care of that and fight the Barbarians right at the gates!
