Drive-By-Downloads

Discussion in 'malware problems & news' started by Omar Owens, Oct 7, 2020.

  1. Omar Owens

    Omar Owens Registered Member

    Joined:
    Oct 7, 2020
    Posts:
    1
    Location:
    Pennsylvania
    As many can relate, I personally have also been a victim to this malicious procedure performed by hackers. The typical scenario is that one clicks on a promising website and then within milliseconds a file is automatically downloaded and displayed on the bottom of your screen.

    This can either be fortunate or unfortunate. The fact that it shows on the bottom of my screen (with a loading icon) gives me about five seconds to cancel the download which is just enough time. Does cancelling the download in time prevent the malware from infecting my computer? Or has it already been too late?
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,324
    Location:
    Slovenia
    I guess that "it shows on the bottom of my screen (with a loading icon)" means at the bottom of your browser? If your browser is downloading a file then it probably means that you would have to run or open it to get infected. If that's the case I would just stop the download, close browser and delete browser cache. You can also use some on-demand scanners for your peace of mind.
    A poll with a list of on demand scanner can be found here: https://www.wilderssecurity.com/thr...ers-do-you-use-please-list-your-votes.379874/

    EDIT: also make sure to update your OS and apps to prevent drive-bys that exploit vulnerabilities.
     
  3. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,303
    You can stop the download assuming you have enough time.

    I think malware file size are typically small.
     
  4. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    7,929
    Even if the file is malicious, it can not infect or harm your system until you actually open it. When it's just sitting in your downloads folder, it will be harmless and you can just delete it.
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,324
    Location:
    Slovenia
    Quote from OP:
    "The fact that it shows on the bottom of my screen (with a loading icon) gives me about five seconds to cancel the download which is just enough time."
     
  6. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,820
    Location:
    Among the gum trees
    Absolutely no expert here, but isn't some malware self executing, not needing users interaction?
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,616
    Location:
    USA
    Yes, if it uses the right type of exploit.
     
  8. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    7,929
    It is possible to be infected by an exploit, just by visiting an infected website. But I believe that if a website actually downloads a file normally, you would need to open that file to get infected. I could be wrong.
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,616
    Location:
    USA
    I think in most cases you will need to open/execute the file manually to become infected.
     
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,616
    Location:
    USA
    If you don't mind me asking, what OS and security software do you use?
     
  11. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,820
    Location:
    Among the gum trees
    I know I've seen either Norton or Malwarebytes block either, "Known attack signature", or "Trojan" on my machines at different times, which makes me question the OP's antivirus, or other PC security.
     
  12. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    7,929
    No antivirus will detect all threats, so no matter what security software you use, some malware will be undetected. Also, if he was to actually open the infected file, then maybe his antivirus would detect and block suspicious behaviour.
     
  13. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,820
    Location:
    Among the gum trees
    Roger, I never said any one AV would detect all threats. My example above from multiple times just by clicking a link to a website, not even getting there, and certainly not downloading anything at all. That is a layer above detecting threats that have been downloaded.

    Anyway, I'll leave this thread to the more knowledgeable members.

    Cheers.
     
  14. login123

    login123 Registered Member

    Joined:
    Jul 12, 2007
    Posts:
    172
    Also no expert here. But, would not a virtualization software such as Sandboxie, Shadow Defender or the old Powershadow for XP prevent permanent damage?

    These have worked for me on win 7 and XP, but I'm not sure how widely effective they are.

    If used with a file backup regimen, wouldn't they protect us?
     
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,616
    Location:
    USA
    Shadow Defender and Powershadow would prevent the infection from being persistent, since all changes to your drive would be removed each time you reboot, but it would not protect you at all during the time you are infected before rebooting. So if you where doing some online shopping, etc.. while infected before rebooting, the hacker could still obtain your debit card information or other payment information if the malware had that capability.

    Sandboxie is different since it does use some policy protection and other protection mechanisms (hooking, etc.) you can enable to prevent malware from installing or limit what the malware is able to do in the sandbox. Some of those protections have to be enabled by the user since they do not come enabled by default. I haven't used Sandboxie much so you would need to ask someone else for configuration advise. I have heard that malware running inside Sandboxie's sandbox can still connect out to the internet with default settings. If you use Sandboxie then ask some of die hard users here on configuration advise. Sandboxie is also different since it only virtualizes a certain portion of your hard drive that is being used by a vulnerable app, when Shadow Defender on the other hand virtualizes your entire drive. With Sandboxie you need to empty your Sandbox to prevent persistence, and with Shadow Defender you need to reboot.

    So, in my opinion, Shadow Defender which offers system wide virtualization (not exactly how it works, but the easiest description for most to understand; it is system wide though) is more full proof in making sure malware does not remain persistent once you have rebooted, but offers no protection at all until you reboot. On the other hand, Sandboxie which virtualizes only a certain portion of your hard drive which is being used by a vulnerable application, provides actual protection to not allow the infection to occur to begin with, especially when the user enables additional security settings in Sandboxie's settings.
     
  16. login123

    login123 Registered Member

    Joined:
    Jul 12, 2007
    Posts:
    172
    Good explanation. Thank you.

    It seems that if one also had a real time antivirus and an effective firewall running, the damage would be much limited?

    I once clicked on a harmless looking news link with Powershadow running. Without warning the XP computer rebooted. It was not configured to do so. When it came back, every change made while shadowed was gone. Including the active 'net connection. I have always assumed that some malware had tried to install & reboot.

    When I went back to the site, that news link was gone.

    Don't mean to hijack this topic, but that seems similar to Omar Owens description, except that here the download restarted the computer, maybe to install itself.

    Fwiw, the bad actor got past the AV, the firewall, and Sandboxie.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.