Drive-by Downloads

Ain't what they used to be !

There was a time when DBD infections occurred without user interaction, due to having ActiveX & Scripting etc running full time

Now it "seems" that, yes there still some that DBD's are waiting to pounce, but now require user interaction before infecting.

If you know of any recent instances otherwise, please post, but NOT direct links

Also what are your thoughts in general about recent/current DBD's ability, or otherwise to infect ?

 

For some statistics see https://www.wilderssecurity.com/showpost.php?p=1957300&postcount=4.

Definition (from http://www.nsslabs.com/resources/white-papers/265/threat-definitions.html):

 

That is a good thing though, for most people.

 

I've run into dozens of Java drive-by's. Plenty of IE6 drive-by's.

The blackhole exploit kit definitely has some.

If they exist for Chrome I haven't seen them and I haven't had any flash.

 

There are plenty of drive-by downloads out there, but you won't notice most of them on a patched machine - unless your AV or NoScript complains about a dodgy obfuscated Javascript on a page. The only sign for many (regardless of if an exploit was successful) is that their browser might have crashed, something which most just put down to a buggy browser.

I get asked to check out pages for people often when their AV (usually Avast) complains about a certain page - in most cases it's usually a script for Blackhole Exploit Kit added to a UK website for a local business of some sort - e.g. a local car dealer, or local real estate agent, etc. Old software, bad passwords.

I don't hear about infected ads nearly as much any more - the last time was for a local forum I occasionally read, but by the time I'd heard about it it had been sorted. With Adblock, it's like they don't exist as a webthreat.

 

I still hear about infected ads once in a while. There's usually a month or so where I hear a ton about it and then it goes away.

 

That is very encouraging to hear!

 

Can you cite an example? Just a description -- you don't have to give a URL.

Thanks,

-rich

 

I've seen some .swl files cached from Blackhole on a site, but never have had an actual exploit using it. The JAVA exploit has always taken precedence. This is with IE8.

regards,

-rich

 

I don't see the flash because they don't break the sandbox. Blackhole exploit kit probably has some in there.

 

@ Rmus

Hi there.

Hopefully some of these will do.

Thought the following might interest you, & maybe others too

 

Wow! I didn't realize how much the term "Drive-by Download" has been expanded to include so many scenarios!

Well, all scenarios where some user action is involved go beyond the simple situation where just going to a web page or opening the USB drive, triggers code to install malware. This situation is very easily dealt with, of course.

Malware piggybacking on installers or programs is nothing new, but more properly relates to User Policies, in my view.

For instance, in your second example, which mentions File Sharing and the Xupiter toolbar. I believe that Xupiter was well-documnented as spyware; and File Sharing, well, what can one say?

In my not-so-humble opinion on this important matter, none of these deserves to be placed in the distinctive and honorary class of the true Drive-by Download!

regards,

-rich

 

completely agree with you

 

Yeah no need to be humble about it

I also agree, TRUE DBD's should be in a class of their own. Which is why i initially said DBD's "Ain't what they used to be !" according to some out there anyway !

I guess a number of infections are Partially DVD's due to the initial code that gets automatically loaded without user intervention. But after that if users get click happy, then it's not truly DBD anymore. Maybe they should be called PDVD ?

 

I agree with you.

For example, let's take example number 1.

1 - # Downloads which a person authorized but without understanding the consequences (e.g. downloads which install an unknown or counterfeit executable program, ActiveX component, or Java applet).

This makes me think of social engineering and not drive-by downloads.

 

+1

Drive-by downloads can include a social engineering component in those cases in which a user is enticed to visit a bad website. However, once at a given website, I consider a drive by download to have occurred only if vulnerabilities were exploited.

 

This is how I feel as well.

 

Anyone know of a website that can check other sites for drive by downloads ?

I sent a friend of mine a link and he said he got something there.

He's running 7x64 and I am running XPSP3.

I have no problems at all except for all the adds on the site.

Since this thread is about Drive by Downloads I though it would be a great place to ask.

rrrh1 (arch1)

 

There are multiple approaches to take.

The most obvious is to look at the HTML yourself (from a sandboxed browser). When legitimate sites are hacked, a script is added to the bottom of the HTML pointing toward a site hosting an exploit kit. Nowadays the script will be obfuscated, meaning made unclear so you can't tell where it goes. Look for "<script".

You can use Wepawet (http://wepawet.iseclab.org/), but some of the analysis needs to be done visually as I believe the exploit kits are trying to hide from it. Look at the requests and redirects at the bottom, and then research the external sites. When you've seen exploit kit links enough, it's clearer which are the dodgy links. If the analysis is successful, Wepawet will show what malicious downloads have been made, comment on malicious Javascript, etc.

Anubis lets you analyse a site in a different way (http://anubis.iseclab.org/).

You can also check websites with Virustotal.com or URLVoid (http://www.urlvoid.com/), for both scans as well as reputation.

Then there's more advanced analysis tools like Malzilla. I've a lot to learn to use that effectively.

PM me the URL if you want.