The Internet's Big Threat: Drive-by Attacks

Discussion in 'malware problems & news' started by ronjor, Oct 15, 2014.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,757
    Location:
    Texas
    http://www.securityweek.com/internets-big-threat-drive-attacks
     
  2. warpro

    warpro Registered Member

    Joined:
    Oct 15, 2014
    Posts:
    6
    Is this thing still a big threat as it was with java applets automatically disabled and the only method by which silent applets still execute being just Flash Player?
     
  3. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    From the end of the article, "To limit the risk of having drive-by malware attacks planted on their websites, organizations should monitor the payload of their different Internet properties, which for larger organizations can easily become a huge undertaking."

    In other words, it won't be done. The last para of the article was such comprehensive gobbledygook that even a seasoned TLA operative would be nonplussed. Again, it reads like, we're on our own.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    This has been a risk for the last 10 years, but it has only gotten worse. However, it's good for business, it will make selling tools like MBAE and HMPA (both anti-exploit) a lot easier.
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    If you remove Java from the browser, and keep your operating system, browser, and browser plugins up to date. I believe you're statistically in pretty good shape.

    Related threads:
    H1 2014 Endpoint Exploitation Trends
    In a Zero-Day World, It’s Active Attacks that Matter (2012)
     
  6. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    Blocking javascript by default is the best approach to dealing with this. Java is not widely used these days but javascript is. That combined with Having UAC active and using a limited user account will prevent drive by installations. Even if a malicious script gets into a whitelisted site, it will still need administrator permission to install anything.
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Also, if someone is browsing from an admin account, I recommend setting UAC to max level to avoid UAC bypasses such as this.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    It does help, but you can still be tricked into letting all scripts run on a site. For example if you want to download a video or see a picture. And if I'm correct, a lot of malware is able to install even with non-admin rights, so UAC will not help.

    What WILL help is using apps that are less exploited, like Opera Presto, instead of Internet Explorer or Firefox. On the other hand, nowadays even plug-ins running inside the browser like Flash get exploited too, so I'm not sure if it matters which browser you are running then, will do some reading.
     
    Last edited: Oct 17, 2014
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    True.

    UAC is helpful to avoid malware running with admin privileges.
     
  10. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    I strengthen file permissions manually so it is almost impossible to install anything without administrator rights. It would still be possible to run something from an unsecured file system on an external thumb drive but it wouldn't be able to install itself on my main drive.
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Post #5 should be helpful, although there is a time gap between the two analyses.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Will need to do some more reading, it's not clear to me yet, but I did read that some Flash exploits will only work when combined with a certain browser like IE, so that is quite good news.
     
  13. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    That's certainly an important step. From the article:

    Also, as others have alluded to, using a script and/or ad blocker will further reduce the chances of attack, as well as using alternatives to IE. For user space applications, i have those areas restricted by granular (at least somewhat) Applocker path rules, including dll's, and monitored by Jetico Process Attack filter option. To boldly state, I consider my Win 7x64 setup as close to bullet proof as possible without giving up usability. My Linux setups are no doubt even stronger.
     
  14. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    A little more on strengthening file permission on a limited user account. Windows, by default gives full control to a limited account's user data folder in the users folder on the c: drive. So a limited user can execute software copied into that folder which includes the desktop and all document folders for that user's account. That allows malware to run from any of these locations in a limited account. I change the limited user's default full control permission to list folder contents, read and write in the main permissions page and add delete and and delete subfolders and files in the advanced tab. It is also necessary to check "replace permissions on all child objects" in the advanced tab to reset the permissions on every file and folder contained in the user's data folder. That seals one security gap that allows drive by malware to run from a limited account from a drive by installation. I also do the same on my data partition but I do an even stricter scheme where all individual users are eliminated and there are just 3 groups: Administrators, System and Users. Administrators and System have full control and users can only list folder contents, read, write, delete and delete subfolders and files.
     
Loading...