Blocking Drive-by Downloads

Discussion in 'other anti-malware software' started by Rmus, Jul 8, 2008.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The drive-by download - or Remote Code Execution attack - evokes fear in many people.

    The theory is that a web page or an application can contain code to download a trojan executable by just visiting the web page, or by running a specially crafted file in the vulnerable application.

    Some recent attacks use applications such as Flash, mp3 players, Quicktime, pdf readers, MSWord.

    Web page attacks use i-frame and scripting to trigger the attack.

    Other attacks have come via USB devices - the U3 type of smartdrive or pendrive, and the digital picture frame, which is just a U3 USB device with photo software installed. These use the autorun.inf file as the triggering mechanism.

    Of course, we hope that our browser is tweaked, our autorun disabled, our applications patched before attacks surface in the wild.

    But today's technology provides a stopgap to anything that slips by that part of the defense.

    There are many solutions to preventing unauthorized executables from installing or running, and I decided to create a list. The idea came from another thread where a trojan exploit was tested on a number of products - aigle testing 6 or 7 himself.

    Since then, I've contacted a few others and have posted all the results on my web site. I would like to add more, so, those with products other than the ones on the list can try their own remote code execution test.

    To be included, you must post a screen shot of the alert message that pops up when you run the test.

    Note that I have not used the term "malware" - rather, "unauthorized executable" which I define as

    Any executable not already installed on your computer.

    This takes care of unauthorized installation of software by other users on a single computer, where parents or an administrator control what gets installed.

    There are two tests.

    The first is a remote code execution exploit embedded in a web page. It attempts to download an executable file, then copies the file to %temp% as svchost.exe and then execute it. It's a common technique for installing trojans.

    Unlike the test in the other thread, I have used a clean file - win32pad.exe - a freeware notepad replacement. This is so that those who are not set up to test malware can test their product.

    The download is from the author's site:

    http://www.gena01.com/

    If you download from the site, you will get the normal Download Prompt:

    winpad-dl.gif
    __________________________________________________________

    But if you go to the web page on my server, the download will bypass the Prompt Box:

    hxxp://www.urs2.net/rsj/computing/tests/8js/happy1.html

    This exploit requires IE6. For those for whom this won't work, you can do another remote code execution test which utilizes the AutoRun.inf file as the trigger. You will have to enable autorun for this in order to test the execution prevention feature of your product. This will simulate any type of remote code execution attack.

    1) Create an autorun.inf file on a USB device to install an executable not already on your computer

    -or-

    2) Use an installation CD.

    In both cases, the attempt to install should be blocked. (See the UAC example)

    Some of the solutions tested are stand-alone products. Some have other features, such as a firewall, HIPS actions. For this, I am interested only in the prevention-of-installation feature.

    Note that I use the word "solution" rather than "product" because two solutions are incorporated into the Operating System: Software Restriction Policies (SRP) for WinXP-Pro, and User Account Control (UAC) for Windows-Vista.

    I wanted to include Limited User Account (LUA) but after testing, I find ways to download/run programs without any alert. With respect to malware, there are other issues covered in the other LUA threads. So, I cannot recommend LUA alone as being reliable against the downloading/running of unauthorized software.

    I have not included Sandbox types of applications because they contain the exploit if it should run. I'm interested in preventing the exploit from being allowed to start.

    Here are the screen shots of the solutions tested so far:

    http://www.urs2.net/rsj/computing/tests/srp1

    The next post will contain a ready reference list of the solutions tested so far. I will add to it as others come in.

    Happy testing!
     
    Last edited: Jul 8, 2008
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The following solutions have been tested:

    Software Restriction Policies (Win-XP)
    User Account Control (Vista)
    Process Guard
    Anti-Executable
    Comodo with Defence+
    Online Armor
    Geswall
    EQSecure
    Neoavaguard
    HauteSecure
    SafeSpace
    Threatfire

    And here are screen shots of the results:

    http://www.urs2.net/rsj/computing/tests/srp1

    --
     
    Last edited: Jul 10, 2008
  3. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    Use Firefox and install the addons NoScript and Adblock Plus
     
  4. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    He is not asking for suggestions, he is detailing a test procedure for anyone interested.

    BTW, as stated by Rmus, the test doesn't work with Firefox (just tried).
    I also tried with IE6 and nothing happened. Just a blank page, no download.
    I have no extra security in IE6, other than SBIE.
    Changed security settings to "low" on IE and disabled all protection on SpywareBlaster. Still no download.
     
  5. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    RAV's IE script blocking module
     

    Attached Files:

  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Try either a USB or CD test to see if there is an alert.
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Interesting alert!

    What is RAV?

    Also, can you send me a copy of that .tmp file?

    thanks.
     
  8. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Haven't an USB with me ATM, but I have seen before what happens (IF autoplay is enabled).

    SBIE lets the executable run, no alert, but contains it.

    Maybe I'll do some tests later and post some screenshots.
     
  9. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    Rising AntiVirus which I have installed with just the Active Defense (HIPS) modules and the IE script blocking module, not the other file monitor modules. Had Returnil active and rebooted already but I have redone the test and script blocker performs as earlier and auto-quarantines the temp file. Will try to send you the quarantined file in a bit. Yahoo blocking my file attachment pffftt!
     

    Attached Files:

  10. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    and did these solutions pass the test ??
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    It took a while to sort this out. Running without the IE script blocking module, the exploit still did not run, and we determined it was because his IE is updated which includes patching for the MS06-014 exploit which I used.
    ___________________________________________________________​

    My reasons for this test are two:

    First, to determine which solutions are true Default-Deny, meaning that the user cannot proceed with the installation without contacting the administrator. According to the screenshots, only Software Restriction Policies and Anti-Executable fall into this category. All others let the user make a decision to continue or not.

    Second, to determine which have Copy Protection. I used the MS06-014 exploit which downloads an executable, copies it to the temp folder as svchost.exe, and then executes it. By looking at the screenshots of the alerts of the various products, I can see which if any provide true Copy Protection, where the executable does not download to the computer. Only Anti-Executable provides this. The others blocked the exploit at the point at which svchost.exe attempts to run.

    --
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi Rmus, I really enjoyed the previosu drive-by download. I will love to have some more live exploits if there are any.

    Thanks
     
  13. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Re https://www.wilderssecurity.com/showthread.php?t=214600 locked thread by Bubba and suggested that enquiry/reply be posted in this topic and with Rmus consent:cool:

    In short it is a big yes in your case when by practice you deny all new executables from running.

    Lets squash some misgivings with what is termed an out of date software.

    The solution/approach it is used for is no way outdated and since there exists no malware that can affect a live infection without executing code into memory then the executable control solution is still 100% solid:D

    It would take an error by user to permit malicious code to execute inorder for it to be bypassed and the compromised system to potentially become infected.

    The misunderstanding...

    Will PG block exploits from firing ?

    In short no it is not designed nor claimed to block the delivery mechanism!

    Files can be written to disk and in some cases startup values for the payload can be created in the registry but at the end of the day these are not part of an active infection until the malware code imported is allowed to execute:thumb:

    Will PG block a driveby infection ?

    In short as long as the user denies any new executable captured then it is impossible for an infection to go live on that computer!

    Right using current live offending url **cracks.com and unpatched IE6 as browser for the sake of triggering exploits hosted at that url.Here's what happens within seconds of opening the url.

    pg 1st alert.jpg

    Deny rule selected=

    no handle.jpg

    Reality is that the trojan downloader that is the payload of the exploit hosted at the compromised url is stopped in its tracks.Since it cannot execute then it can not infect the system:thumb::D
     
  14. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    There are plenty of ways to block drive-by downloads.

    I would just want to mention an impopular program on this forum:

    the Spy Sweeper (version without antivirus)

    It's internet communications shield has protected me many times.

    Maybe it's not the best setup, but it has never let me down.

    'if it ain't broken, don't fix it'
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks fcukdat for that graphic demonstration!

    --
     
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Indeed there are!

    And two solutions are built in to the Operating Systems, requiring no additional software:

    XP-Pro -- Software Restriction Policies

    Vista -- User Account Control
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    And thanks again for your tests.

    I find URLs by watching malware sites, hijack forums, and often, in sans.org diaries.

    After awhile you realize that the end result is always the same. What fcukdat wrote about PG applies equally to the other solutions;

    What is interesting these days is the type of exploit used as the trigger. For instance,

    Unpatched Word Vulnerability
    http://isc.sans.org/diary.html?storyid=4696

    You will notice the payload: Trojan-Dropper

    Other applications/plugins exploited by buffer overflow include Flash, .pdf files, Quicktime, .mp3, and many more.
    All of the analyses I've seen of attacks show the same type of payload.

    While not specifically a drive-by attack as fcukdat just showed, nonetheless they are remote code execution attacks triggered as the user opens the infected file in the specific application/plugin.

    All such attacks are stopped from executing by any of the solutions shown in the screenshot results I posted.

    This is not to say that you don't need to patch your appplication or plugin. But it is to say that you are protected from this type of attack in case you encounter such a specially crafted malicious file, as you await the patch/updatefor the vulnerability.

    --
     
  18. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Also, don't underestimate a patched browser/OS.
    I've been spending the last half hour on the darkest site of the net, just happy-clicking on EVERYTHING, with IE6 and not a single drive-by download yet.
     
  19. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    What setting is IE on ?
     
  20. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Default. Havent touched it, since I barely use it for ms updates. Just sandboxed.

    I'll do a test, will trust fcukdat's url, to see what happens.

    EDIT: again, nothing happened. No .exe inside the sandbox
     
    Last edited: Jul 10, 2008
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    This is certainly true.

    For my purposes here, I'm a bit more inclusive, as I mentioned in the first post:

     
  22. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    fcukdat,
    Thank You--This is exactly what I was looking for.

    One question about Software Restriction Policies....do I have to enable this or is it already?

    With this enabled, I do not need PG as all executables will prompt me before download when visiting a drive by download site?

    Thanks in advance,
    Toby
     
    Last edited: Jul 10, 2008
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    This article is a good starting point:

    Using Software Restriction Policies to Protect Against Unauthorized Software
    http://technet.microsoft.com/en-us/windows/aa940985.aspx

    Also this. Note the paragraph on SRP part way down the page:

    Mark's Blog
    http://blogs.technet.com/markrussin...umventing-group-policy-as-a-limited-user.aspx

    --
     
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
  25. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Sadly my laptop came with XP home, so no SRP for me :oops:
    Is there a way to workaround this?
     
Thread Status:
Not open for further replies.