Malvertising best practices

Discussion in 'other anti-malware software' started by Windows_Security, Apr 13, 2016.

  1. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,079
    Location:
    Netherlands
    Recently Dutch websites were targeted by malvertising.
    The attack scenario was simple:
    1 Advertisement triggered external script which redirected to
    2.Exploitkit checking for vulnarable plug-ins (Java, Flash, Silverlight, PDF)
    3.When vulnarable (not updated) embed exploit which initiated
    4.Automatic download of malware which
    5.Executed payload silently in the background

    Mitigations
    1. Use an Adblocker (free versions Adfender, Adguard, Adblock or uBlockOrigin)

    2. Use Exploit mitigation (free ones are MBAE for browsers and EMET for all propierty) and auto-update software

    3. Think out of the box, when you can't beat them, join them.

    Use the browser (Chrome) which business model is driven on advertising (Google). Delivering malware through ads kills the Google business model, so Chrome comes with some unexpected options:
    • Secured/simplified plug-ins: use Chrome Flash-player and PDF-reader not Adobe's

    • De-install plug-ins you don't or probably don't need (Java, Silverlight)

    • Enable Chrome's safe browsing (and SmartScreen on the desktop when on Win 8 and up)
      to stay way from 80% of the dark side of the internet.

    • Chrome or Chromium about://flags and enhance security
      Enable PPAPI Win32k Lockdown (choose option: All Plugins)
      Extension Content Verification (choose option: Enforce Strict)

    • Privacy Settings
      - Send a Do Not Track request (settings)
      - Block third party cookies and data (content settings)
      - Reduce default 'referer' header granularity (about://flags)
      - Disable Hyperling Auditing (about://flags)

    • Protect against retargeting tactics leaving tracking data and cookies to customize adds by installing some extensions:
      - Google's WebRTC Network Limiter (choose option: use default public IP)
      - Google's Analytics Opt-out
      - Google's IBA Opt-out
      - Tab Cookies (deletes Cookie and site data after closing the tab)

    Research shows that most new Top Level Domains have an infection rate of over 90%. Research also shows that 90% of the average PC users frequent less than 5 Top Level Domains! So why not limit javascript and plugin AUTOPLAY to a few Top Level Domains (and secure HTTPS websites).
    • Javascript
    - Do not allow any site to run Javascript
    - Manage Exceptions
    HTTPS://*:443 (allow all secure sites)
    [*.]GOV (government, no use in the Netherlands, US based)
    [*.]MIL (military, no use in the Netherlands, US based)

    [*.]EDU (education)
    [*.]ORG (public now open for all)
    [*.]NET (network organizations)
    [*.]COM (many Dutch websites have suffix COM for commercial)
    [*.]NL (your country domain, mine is NL for Netherlands)
    [*.]EU (some Dutch websites use EU for Europe, in US you could use your state's suffix)

    • Plugins
    - Let me choose when to run plugin content
    - Manage individual plugins (disable all plugins you don't need), deselect "Always allowed to run"
    - Manage Exceptions (same as with Javascript)

    HTTPS://*:443
    [*.]EDU [*.]ORG [*.]NET [*.}COM
    [*.]NL (your country domain)
    [*.]EU (your region/state's suffix)

    • Good set and forget option for average users, allowing exceptions is also very easy
    Chrome will show when cookies, javascript or plugins are blocked, run them by adding them to the exceptions​
    upload_2016-4-13_11-40-6.png
    upload_2016-4-13_17-19-3.png
     
    Last edited: Apr 14, 2016
  2. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,079
    Location:
    Netherlands
    I know you can also install a Script Blocker, like Script blocker for Chrome and allowing only same domain (forget about javascript and flash AUTOPLAY limitation on high level domains). Advantage of ScriptBlocker for Chrome is easy to toggle on and off (normal browsing falling back to the ad blocker only) with visual feedback in icon (number of 3rd-party scripts/iframes/plugins blocked or "STOP"). Good option for intermediate users (using it on demand for dodgy browsing).

    upload_2016-4-14_18-7-16.png


    upload_2016-4-13_12-40-43.png
     
    Last edited: Apr 14, 2016
  3. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,079
    Location:
    Netherlands
    For the people liking to micro manage (most forum members) use uBlock origin as an alternative to ScriptBlocker for Chrome and enable Advanced options. Advantage of uBlock0 you don't need a separate adblocker, but it is the most strict blocker (so uBlock0 could block something when you don't want to block it). Another advantage is that it also offers the malvertising blocklist of Disconnect. Good option for Advanced users (it also has many options to find out what to allow).

    upload_2016-4-13_12-47-1.png
     
    Last edited: Apr 15, 2016
  4. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    207
    If you allow COM suffix aren't you allowing a huge number of websites?
     
  5. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,079
    Location:
    Netherlands
    @Kid Shamrock Yes, that is true and also the idea of set and forget (hardening) measure without function degradation or micro management.

    Although Verisign is doing a great job at keeping the misuse of COM domains down, other security sources mention infection rates of 25 to 35 percent (of COM domains).

    Since ORG is not used for public instances solely anymore and control on NET(work) organizations has lowered, those domains are also used by malware currently (although NET and ORG have lower infection levels of 15 to 25 percent).

    So why bother to limit javascript and plugin AUTOPLAY to a few TLD's (Top Level Domains)?
    Reports on latest Exploit kit and Ransomware infections show that this TLD limitation reduces the infection risk with 60 to 90 percent, because a COM website may be intruded with malvertising, the server hosting the exploit is often hosted on more exotic or less controlled TLD's. Considering the fact that most people never use more than 5 TLD's, it is NOT the primary line of defense you should depend upon, but a simple additional threshold to reduce infection risk.
     
    Last edited: Apr 14, 2016
  6. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    uBlock is dead and is no longer in development. It is to be used only when one using Safari.

    And there are many differences when compared to uBlock Origin. Following are missing on the dead fork :) -
    • Universal Logger
    • Surrogate filters (It is extended beyond script resource type)
    • Inline script filters (though this is available only to Gecko based browsers. i.e., Firefox and its derivatives)
    • scriptlet filters (introduced in v1.5.0)
    • Ability to create static/dynamic-url filters through Universal Logger
    • popup type filter is enhanced to block popunders too!
    • DOM Inspector Tool
    • And many improvements to the code
     
  7. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,079
    Location:
    Netherlands
    @harsha_mic

    Off Topic - The origin is dead (uBlock), the fork is active (Origin) :confused:

    On Topic - Edit: removed uBlock references in above posts, uBlockOriging is mentioned only. Good to see development of uBlockOriging resulting in more features and more tweaking options for more effective micro blocking, (as I recal ų meant mikros in Greek).
     
    Last edited: Apr 13, 2016
  8. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    658
    Location:
    Italy
    Privacy and Security do not get along very well.
    Tor Browser is the best model of browser for the privacy.
     
  9. yeL

    yeL Registered Member

    Joined:
    Aug 10, 2015
    Posts:
    50
    Good information, thanks for sharing.

    Although, it would be good if you mentioned what these "settings" are supposed to do:

    Enable PPAPI Win32k Lockdown (choose option: All Plugins)
    Extension Content Verification (choose option: Enforce Strict)
    Reduce default 'referer' header granularity (about://flags)
    Disable Hyperling Auditing (about://flags)
     
  10. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,079
    Location:
    Netherlands
    @yeL sorry, these are the short descriptions

    Enable PPAPI Win32k Lockdown
    (all plugins)
    Blocks access to half of the kernel for all plugins. This reduces the attack surface, hence the risk of them being misused by exploitkits. This is an OS-feature of Windows 8 and above (which is also used as part of AppContainer in Win8 and above). So increases security

    Extension Content Verification (strict)
    Some Chrome extensions turn into malware. When an extension is added to Chrome store it is eveluated (checked). This setting verifies the hash of the extension file on disk with the one which was evaluated in the Chrome store. If they don't match the extension is disabled. So increases security

    Reduce default 'referer' header granularity
    Reduces the information about referring websites shared with others as you browse the web, when you go from one website to another (when not asked for it by the website you have clicked on). So increases privacy

    Disable Hyperlink Auditing

    Disable sending hyperlink auditing pings. Another link being pinged or notified when you click on a link. So increases privacy
     
    Last edited: Apr 14, 2016
  11. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,079
    Location:
    Netherlands
    Another option for Windows 8 and above in about://flags is

    Enable AppContainer Lockdown
    Runs the chrome subprocesses in AppContainer (Enhanced Protected Mode) in stead of low integrity level. This is a process-isolation environment introduced in Windows 8, see link This makes the Chrome Sandbox stronger.

    Last time I checked when using free MBAE the dll of MBAE which monitors for exploit behaviour is also blocked. I have asked at MBAE thread whether this reduced the effectiveness of MBAE (MBAE-dll is still injected in Chrome broker process), but have not got an answer. Anyone having info on this feel free to post.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    Phew, there is no free lunch, so it's just a matter of how you pay.

    Kees, you are the master, at coming up with excellent work solutions with no monetary outlay, but the above is too much for me. First I won't use chrome, but I do use Firefox and Noscript. Secondly I use Sandboxie paid version and I don't need to worry about any of the above. If I know I am going in harms way, I use Shadow Defender on top of it, and I just relax and enjoy
     
  13. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,079
    Location:
    Netherlands
    @Peter2150 ,

    For starters no discussion about Shadow Defender, it is a great application, so let's skip that out of the equation. When using Firefox (running at medium level), you need an additional sandbox (Comodo, Avast, RE-HIPS, Cybergenic Shade, BufferZone, Sandboxie) to compensate for its missing internal sandbox. So let's leave Sandboxie also out of the equation.

    Now assume one only implements post 1,then one would
    - install MBAE-free (one action)
    - set four about://flags (one URL action, four settings + two options = 7 actions in total)
    - adjust two Chrome settings (four mouse click actions)
    - set javascript (one setting, say 6 TLS's and HTTPS = 8 actions in total)
    - set plugins (two settings plus above 6 TLD's and HTTPS = 9 actions in total)
    - install four Chrome extensions (with two options to select = 6 actions in total)

    This totals out to 35 actions (being mouse clicks and entering field data), just for fun:

    How many settings do you have tweaked in Firefox and Noscript and how many sites do you have whitelisted in Noscript (remember a simple mouse click is also an action)? Fair chance you have put more effort into configurating and whitelisting Noscript.

    Regards Kees
     
    Last edited: Apr 14, 2016
  14. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    304
    Location:
    Philippines
    Thanks for this, @Windows_Security!
    I've taken the steps, not all the steps though because I have uMatrix, Adguard (Desktop version), HMP.A, KIS, ZAM Premium, and AppGuard.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046

    Okay, but problem is this. Sandboxie is in the equation, so why leave it out. I would have to then say I will leave out most of your steps, as I WILL NOT run chrome, period. Also I already have HMPA.
     
  16. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,079
    Location:
    Netherlands
    @Peter2150I am not forcing or telling you to use Chrome. Something got lost in the translation. With out of the equation, I meant use it happily and don't count the settings you have tweaked for (several) sandboxes as actions (to compare work needed for setting it up).

    My point was that Chrome offers some amazing features to mitigate malvertising because their business is build on advertising. They will for sure make life harder for adblockers and on the other hand provide new countermeasures to fight malvertising.
     
    Last edited: Apr 14, 2016
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    Hi Kees

    Fair enough. ANd for some folks your way is excellent, but just not for me. I take the SBIE and SD way with Firefox.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    I know what you mean, with step 1 and 2 you will already be safe regardless of which browser you're using. And of course the HMPA/MBAE + SBIE combo is almost bulletproof.
     
  19. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,079
    Location:
    Netherlands
    Last edited: Apr 17, 2016
  20. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,631
    Location:
    Toronto, Canada
    This looks very promising. I appreciate how the Chrome devs are utilizing the underlying OS mechanisms for more containment/compartmentalization purposes. Protecting iframes will serve as a great next step.
     
  21. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,872
    Is there any particular reason why you will not run chrome.?..sorry im just curious.
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046

    I'll PM You
     
  23. yeL

    yeL Registered Member

    Joined:
    Aug 10, 2015
    Posts:
    50
    Regarding the about:flags settings, you can easily reach them using their own links instead of searching.

    Code:
    chrome://flags/#enable-appcontainer
    chrome://flags/#enable-ppapi-win32k-lockdown
    chrome://flags/#disable-hyperlink-auditing
    chrome://flags/#reduced-referrer-granularity
    chrome://flags/#extension-content-verification
    Just thought of sharing this. :)
     
  24. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,079
    Location:
    Netherlands
    @yeL Thsnks I did not know, I always use to search for them (especially in Dutch version it is hard to recognise the translation)

    Besides above about://flags security and privacy options I have also enabled:

    chrome://flags/#enable-site-per-process
     
    Last edited: Apr 21, 2016
  25. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,079
    Location:
    Netherlands
    Forgot to mention: when enabling site-per-process the extension tab-cookies does not work anymore (which is logical sinds site per process isolates sites, so cookies exist, bu should not be able to get stolen by other websites for retargetting). Since I like the less-is-more approach I have removed tab-cookies.