A thought regarding drive-by downloads

Discussion in 'other anti-malware software' started by Gullible Jones, May 8, 2010.

Thread Status:
Not open for further replies.
  1. Is there any software out there - any software at all - that's designed to block a specific process from launching other processes? Or could at least do so along with its other functionality, without weighing a system down?

    It just struck me that your average browser hijack works by using Javascript or whatever embedded rubbish to launch an executable. But suppose you could just blanket forbid your browser from launching anything? It makes sense, too - nobody needs to launch stuff from a browser (unless the browser is IE). So why not do that and avoid the need for realtime scanning?
     
  2. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
  3. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    Have you read this very informative Rmus's post about drive-by infections?
     
  4. Interesting.

    I wonder if there's a way to go even simpler, and do it with SRP or AppLocker... Or do those only allow blacklisting of applications, not blacklisting of application privileges?

    Edit: No I hadn't read that post about drivebys. Interesting. It looks like it's not as simple as I thought, since plugins and DLLs can also be part of a driveby.
     
    Last edited by a moderator: May 8, 2010
  5. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    I think FF with NoScript will protest against this. I use AppGuard though.
     
  6. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    I don't know about SRP but Applocker supports script, installer, and executable rules so it should prevent drive by downloads too.
     
  7. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,124
    Location:
    Pennsylvania.
    I'm sure a HIPS program would be more then effective or just get Sandboxie and have it so only your browser has Internet access and the ability to run. :p
     
  8. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    You can also disable scripting in Google Chrome. But it is pretty generic and kind of a pain sometimes. I had scripting disabled in Chrome and tried to go to Freewaregenius.com a week ago or so. The site had been hacked (fixed now) and has some sort of embedded trojan. Avast 5 free alerted to the infection despite scripting being disabled. I has the http scanner of Avast enabled.

    I guess with the drive-byes you also have to be concerned with 3rd party apps/plug ins/ BHO's of the browser (flash, java, etc).
     
  9. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    just tweak the registry to deny or restrict file downloads within the browser;)
    tha's how i have it here all the time and safe:)
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  11. Jav

    Jav Guest

    wait. What about Adobe flash, Java, PDF reader, Divx Player, Silverlight?
    All of them are triggered by browser. So if you deny Browser to launch anything. It will be painful to live....

    Anyway, I think SRP/AppLocker is a way to go. And actually it's not just blacklisting.. It can be (and most times) used as whitelisting.

    So you can give rule which executables, scripts, dlls can be launched/loaded. Anything not included in those rules will be denied.

    So it will block drive-by malware. ;)
     
  12. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    While SRP is already powerful is stopping drive by downloads, AppLocker is the definite way to go under LUA.

    As it is on kernel level (unlike SRP), there is no way to trick it and execute a foreign code, be it a script, a dll, or an exe... As long as your admin has properly taken ownership of programs and windows folders and provided you ensured your LUA can not write inside these folders (so that you can not save a code in these folders, even by mistake, and they won't execute).
     
  13. wat0114

    wat0114 Guest

    Applocker will not only allow whitelisting of rules, but it is also the recommended approach. Even better, possibly, depending on the situation, It will also allow to setup allow with exceptions. The blacklist approach, besides being weaker, is also far too cumbersome to properly implement and maintain.
     
  14. wat0114

    wat0114 Guest

    To answer someone who asked via pm if it is still possible to run applications from user's temp folders with Applocker anabled, the answer is a resounding NO, as long as the three basic whitelisting rules are enabled.

    See here

    Whitelisted Applocker rules are absolute. No exceptions. Period.

    Case in point: My son plays on this website called Fusion Fall, and it requires a Unitywebplayer executable to run from a couple of his user folders. Well, Applocker denied it unequivocally until I created two "Path" rules specific to his account. Please see the screenshot. This is how powerful Applocker is.
     

    Attached Files:

    Last edited by a moderator: May 10, 2010
  15. Gen

    Gen Registered Member

    Joined:
    Jan 9, 2007
    Posts:
    73
    I dont understand the first 2 rules, why would u need a rule to allow smth that is already allowed when any user can access their program files/windows in their profile?

    Also, how allowing all users to run files in specific folders prevent the non administrators from running the files?
     
  16. wat0114

    wat0114 Guest

    Take another look at the quoted three rules. The two rules I created are specific to my son's account (his name I erased ;) ) Remember, those three rules alone block executable from launching in even the limited account's user directories. This is the beauty of whitelisting over blacklisting.
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    You can tweak the registry https://www.wilderssecurity.com/showthread.php?t=262475 which prevents downloads (and blocks execution by explorer)

    Next you can deny execution through OS related policy restriction SRP, Applocker

    Or use a HIPS/Sandbox
     
  18. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    kees i have xp home:D
     
  19. timestand

    timestand Former Poster

    Joined:
    May 7, 2010
    Posts:
    172
    Thanks for reply my PM. But you get wrong idea. I don't ask on user's temp folder, but temp folder of this: C:\Windows\temp. Users can write here. So if you SRP or Applocker allow execute from C:\Windows, users can write and execute from C:\Windows\temp. Right?

    I also talking on Windows XP. Not sure if this also for Windows 7 sorry.
     
  20. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    At the risk of sounding like a broken record....Why not just run with Returnil, Deep Freeze or one of the other many light virtualization programs? Reboot and your back to a perfectly fresh system.
     
  21. wat0114

    wat0114 Guest

    Okay, sorry, I'm not sure how to prevent that with SRP in XP, although I think it should be possible. With Applocker under Win 7 your concern is a non-issue because you can auto-generate rules so that it creates whitelist rules for the applications that are presently installed (so they should all be trusted). This way nothing not already in the rules will be allowed to launch from even the C:\Windows\temp folder. I will have a look at the sandboxie thread.
     
  22. timestand

    timestand Former Poster

    Joined:
    May 7, 2010
    Posts:
    172
    Sorry I don't understand. You say here:
    Now you say auto-generate rules also?
     
  23. wat0114

    wat0114 Guest

    The rule: Allow users to run all files in the Windows folder, simply means the executables that are currently there when the Applocker rules are created. Applocker has a handy feature that lets one auto-generate the rules in that it scans the folder for the files presently in it. The files should be trusted (otherwise why would anyone in their right mind create whitelisted rules for rogue executables, unless unknowingly ;) ), so only those files will be allowed to run. Any other executable placed in the folder after the rules are created will not be able to execute. And then this latter situation is not even possible under a limited account anyway, so it's extremely secure. BTW, I posted to the ssj thread.
     
  24. timestand

    timestand Former Poster

    Joined:
    May 7, 2010
    Posts:
    172
    OK I understand.

    User is allowed to write C:\Windows\temp. But yes with Applocker or if create SRP rule, cannot execute. But then I read on ssj that it cannot write or execute anyway as cannot read. So no problem?
     
  25. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Whether it's a problem depends on how the file permissions are set on your system. Some systems have non-default permissions due to changes by the manufacturer, for example. To be sure, you could check the permissions yourself - many ways to do that, such as using the Security tab if you're not on a Home version of Windows, using tools like Accesschk from Sysinternals, or even simply manual methods (use the command prompt to copy some executable file of your choice into the folder and then execute it from the command prompt - if it works, that'll tell you you've got read, write and execute permissions for newly created files in that folder). There's a difference between having read permission on a folder and having read permission on some file inside that folder, thanks to everyone having the Bypass traverse checking privilege.

    Or you could avoid all that just by creating an additional SRP rule that denies running stuff from Windows\Temp. That shouldn't cause trouble with any software that actually works in a limited user account without hacks. The kind of software that wants to run stuff from the Windows\Temp folder typically doesn't work as LUA anyway.
     
Thread Status:
Not open for further replies.