Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Tool Blocks Downloads From Malicious Sites

timothy posted more than 3 years ago | from the we're-from-the-government-and-we're-here-to-help dept.

Security 192

Hugh Pickens writes "Science Daily Headlines reports that a new tool has been developed (funded by the National Science Foundation, US Army Research Office and US Office of Naval Research) to prevent 'drive-by downloads' whereby simply visiting a website, malware can be silently installed on a computer to steal a user's identity and other personal information, launch denial-of-service attacks, or participate in botnet activity. The software called Blade — short for Block All Drive-By Download Exploits — is browser-independent and designed to eliminate all drive-by malware installation threats by tracking how users interact with their browsers to distinguish downloads that received user authorization from those that do not. 'BLADE monitors and analyzes everything that is downloaded to a user's hard drive to cross-check whether the user authorized the computer to open, run or store the file on the hard drive. If the answer is no to these questions, BLADE stops the program from installing or running and removes it from the hard drive,' says Wenke Lee, a professor in the School of Computer Science in Georgia Tech's College of Computing. Blade's testbed automatically harvests malware URLs from multiple whitehat sources on a daily basis and has an interesting display of the infection rate of different browsers, the applications targeted by drive-by exploits, and the anti-virus detect and miss rates of drive-by binaries."

cancel ×

192 comments

Not new, vaporware (4, Informative)

Rurik (113882) | more than 3 years ago | (#33853662)

Great idea, and I can't wait for it to surface. But, don't get your hopes up. Brian Krebs reported on this back in February (http://krebsonsecurity.com/2010/02/blade-hacking-away-at-drive-by-downloads/) and it's been vaporware the entire time. Demo videos look great, but there has been absolutely no public movement on the project since this spring.

When it gets released, THEN post something to /.

Re:Not new, vaporware (3, Insightful)

Moryath (553296) | more than 3 years ago | (#33853848)

I don't know about progress or eventual usability, but they definitely come up pretty high on the "tortured acronym" list...

Re:Not new, vaporware (0)

Anonymous Coward | more than 3 years ago | (#33854066)

I'm just surprised to see my OS Design professor's name on Slashdot's front page. Will have to ask him a question about it on Tuesday!

Re:Not new, vaporware (1)

SigNuZX728 (635311) | more than 3 years ago | (#33855472)

Yeah, ask him when it will be done.

Which OS? (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#33853686)

If you have a needle in your arm that makes you bleed, you don't try to stop the bleeding, you remove the needle.

Make Microsoft Windows ILLEGAL and we'll have taken care of 99.9% of the bullshit that happens on the internet.

Re:Which OS? (1, Insightful)

Abstrackt (609015) | more than 3 years ago | (#33853758)

Make Microsoft Windows ILLEGAL and we'll have taken care of 99.9% of the bullshit that happens on the internet.

Sorry, but how does that stop people from giving their credit card number to a purple hippopotamus or from buying whatever spam advertises?

Re:Which OS? (0)

Anonymous Coward | more than 3 years ago | (#33853806)

That's like saying we shouldn't remove deadly exploding cars from the roads because 5% of the drivers are too stupid to drive. There's no link between the two. We can fix the Windows problem by removing it from the internet. Fixing users is done via education.

Re:Which OS? (0, Flamebait)

Anonymous Coward | more than 3 years ago | (#33853920)

Wrong. Fixing users is done by applying a large sledgehammer to the heads of those too stupid to be allowed to continue existing...

Re:Which OS? (2, Funny)

Anonymous Coward | more than 3 years ago | (#33854078)

I call this Gallagher Conditioning.

Re:Which OS? (3, Interesting)

vux984 (928602) | more than 3 years ago | (#33853950)

That's like saying we shouldn't remove deadly exploding cars from the roads because 5% of the drivers are too stupid to drive. There's no link between the two. We can fix the Windows problem by removing it from the internet. Fixing users is done via education.

Right. But the percentages are wrong... the original asserted that removing windows would fix 99.9% of the bullshit on the internet. The parent correctly pointed out that it would do no such thing. "user" issues account for far more than 0.01% of the problem. Removing the Windows "exploding cars" might not even make a dent.

That's not to say we shouldn't remove the exploding cars, but we shouldn't justify it by claiming its going to fix the internet in any meaningful way.

Moreover, the windows as exploding car metaphor is flawed, because the OSX and Linux cars are not really inherently that much more secure in the hands of lowest common denominator users. If you pull the exploding windows cars off the internet within a few months you'll have exploding osx and linux cars to contend with.

Idiot users will let malware infest their systems regardless of what OS they are given if the malware asks them too. Right now, most malware doesn't work on Windows, but if you banned windows overnight, then a week later the internet would be a crap flood of malware that worked on linux or osx.

(Probably linux, because there is no way people could switch to OSX without buying apple hardware...so it would be a less popular choice.)

Re:Which OS? (1)

Abstrackt (609015) | more than 3 years ago | (#33854262)

It's more like saying removing a specific brand of car that suffers from regular breakdowns from the road would prevent 99.9% of all traffic accidents, despite the fact that the drivers themselves account for a measurable portion (more than 0.01%) of said accidents.

To that end, I think this software is kind of like having a passenger who helps you operate the vehicle more safely by giving you one less thing to worry about. User education is an important part of computer security but it can be discouraging for users to try at all if there are pages that can infect their computer without their interaction.

Re:Which OS? (0)

Anonymous Coward | more than 3 years ago | (#33854294)

> despite the fact that the drivers themselves account for a measurable portion (more than 0.01%) of said accidents

The drivers *of one particular type of vehicle* account for a measurable portion of said accidents. It isn't the Linux users randomly clicking on "FunnyDancingMonkey.jpg.exe" and then wondering why their modem lights are blinking so much more now.

When the specific brand of car that's breaking down all the time is ALSO the specific brand of car with the drivers causing all the accidents even when the car itself isn't at fault, well... maybe it's time to take that brand off the public roads.

Re:Which OS? (2, Insightful)

Anonymous Coward | more than 3 years ago | (#33854392)

So, let's take that same idiot user and set him up with a nice Linux distro. Say Mint or Ubuntu. Wait a few months and check his machine. It is probably fine. Now do the same to 4 billion more Windows users. Wait 6 months. Do you really believe the scum that put out malware and the like are going to just walk away from the gravy train? Hell no. They will target these same "dumb" users. (BTW, these users might be brilliant in their field; I am only putting them in the "dumb" as computer users. I personally am in the "dumb" category when it comes to something like quantum physics.). It is trivial to write the same "click here to see bewbs" code on any OS. Users grant it admin rights. Most users are clueless. How did this clean up the problem? It just transferred it to a different OS.

Re:Which OS? (0)

Anonymous Coward | more than 3 years ago | (#33854536)

Linux hides less of what's really happening. Bewbs.jpg.exe does NOT show up as Bewbs.jpg on Linux, so it's a lot more obvious that what you're about to click on might jack your machine.

Linux has vetted repositories for obtaining software; you don't have to get much stuff from random untrusted web sites and so on.

Linux doesn't auto-run executables from untrusted media you insert into your machine.

So yes, it would be a much better situation. Perfect? No. But a lot better.

Contrast, "Hey Joe, run this exe! It's fine, honest!" to "Hey Joe! Here's a nice program, you can get it via apt-get install digikam".

Which is more likely to be safe for the end user?

Re:Which OS? (1)

mlts (1038732) | more than 3 years ago | (#33855354)

What is ironic is that Microsoft is doing exactly just this in Windows 8. Software will come from a store/repository. So, if a user wants a copy of SuperDuperPooperScooper, they will just look it up on the store, have it downloaded and installed. Couple this with signed executables and a big warning before running executables that were obtained from other than that store, and it will help reduce the dancing bunny problem. Not completely eliminate because the pr0n sites with their "pr0n viewer codecs" will have step by step directions to disable this, but at least it will be something in place.

Couldn't resist... (1)

znerk (1162519) | more than 3 years ago | (#33855558)

That's like saying we shouldn't remove deadly exploding cars from the roads...

There are still Ford Pintos [howstuffworks.com] being driven on the road today.
I saw one last week, driven by what appeared to possibly be the original owner. Beautiful condition (the car, not the owner).

Or a golden giraffe? (0)

Anonymous Coward | more than 3 years ago | (#33854138)

"... to a purple hippopotamus..."

Okay, then, how about a pink hippopotamus? Not that either?

Re:Which OS? (2, Insightful)

hairyfeet (841228) | more than 3 years ago | (#33855094)

I know I shouldn't feed the troll but wtf, I'm bored. You sir MR AC, are falling victim to "magical thinking" made all the worse because it is pretty obvious you are a hardcore FLOSSie, which means you treat your OS as a religion instead of a tool. FLOSS IS good if you know what you're doing but it isn't a magic miracle cure. You see ALL OSes have weaknesses, full stop. Or are you forgetting the SIX YEAR OLD X flaw that was just patched recently? And magical thinking is "product X will SAVE us!" which never works because it just makes you lazy to security best practices. The latest windows? Actually pretty damned secure if it weren't for dumbasses behind the keyboard or as we in the repair biz like to call them the "ID10T errors". The biggest bug going around right now I'm seeing is Security Tool variants that the user INSTALLS just because a website presents a pop up or warning banner similar to a Windows one and offers them a "free AV" product.

Now can you name a SINGLE thing there that is Windows specific? Can they make a dialog box look like an Ubuntu one? Not a problem there. Does the user have the right to install on their own machine? Yep again. Will putting them on a different OS magically make them stop clicking on stupid shit? Not a chance in hell pal, I should know because I done tried it. I had a customer that was a "must click on teh prons!" type of dumbass, so I put him on a Linux (it was either PCLOS or Mepis, which ever had the newest release ATT) and he made it completely unbootable in less than a week. How did he do that? By deciding he didn't like that whole "package manager thingie" and instead googling "Linux programs" and installing a bunch of shit off fresh meat that put him in dependency hell.

So you see MR FLOSSie AC, despite the fact that we here on /. have to deal with a dozen "Ban Windblowz LOL!" posts on anything even remotely having to do with windows, magical thinking does not and will never work because the ONLY true security is a top to bottom approach running everything with least permissions and not installing random shit from the web. If you made Linux 100% of the market tomorrow not 24 hours later people would be getting "Happy kitten screensave" .sh, with instructions on how to install same and they would do it or are you forgetting those that got infected by installing random KDE themes from KDELook?

i'm a butt-slut (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33853688)

and i suck dick for cash.

Discuss.

It's not yet available (2, Insightful)

SpacePunk (17960) | more than 3 years ago | (#33853722)

Just like flying cars, warp travel, or a cure for cancer.

WTF folks. Why link it if it's not available? Sure, the "golly gee wiz" effect might get a whole five minutes if someone reads very slowly, but if it's not available then linking to it doesn't do anybody any good. By the time it does become available it will be long forgotten to all except those that make out a 3x5 card, and tacks it up on the wall.

Prior art (2, Interesting)

srussia (884021) | more than 3 years ago | (#33853742)

From TFS: "BLADE monitors and analyzes everything that is downloaded to a user's hard drive to cross-check whether the user authorized the computer to open, run or store the file on the hard drive. If the answer is no to these questions, BLADE stops the program from installing or running and removes it from the hard drive.

Sounds like Mac OS X.

Re:Prior art (2, Interesting)

Kemanorel (127835) | more than 3 years ago | (#33853790)

I was thinking more along the lines of:

Well, it's called Tron. It's a security program itself, actually. It monitors all contacts between our system and other systems. It finds anything going on that's not scheduled, it shuts it down. I sent you a memo on it.

Life mirrors art? Then again, maybe I just have Tron on my brain after seeing an extended 3-D preview of Tron: Legacy at Disney's California Adventure on Friday. If anyone reading this can, I highly recommend visiting DCA to see the ElecTRONica section they have going on (Friday through Sunday nights). Flynn's Arcade is pretty well done.

No, I am in no way affiliated with Disney either. Just a fan of Tron.

Re:Prior art (1)

electrostatic (1185487) | more than 3 years ago | (#33853802)

"...to cross-check whether the user authorized the computer to open, run or store the file on the hard drive."

I run Windows in admin mode, which of course permits these activities. Thus it seems BLADE would do nothing for me and my ilk.

Re:Prior art (1)

Angst Badger (8636) | more than 3 years ago | (#33854082)

Sounds like Mac OS X.

Except that Mac OS X isn't funded by the US military. I'm not an Apple fan, but their motives are all up front: they want your money.

Re:Prior art (1)

stephanruby (542433) | more than 3 years ago | (#33854504)

It also sounds like many of the firewall solutions we have today. We have firewalls that already block malware infested sites, through either the host file or through their own mechanism, and that will intercept/sandbox/delete anything that gets downloaded/launched without the users explicit permission. And we have firewalls/anti-virus solutions that automatically update themselves with the latest lists of blocked ip addresses, the latest lists of virus/malware signature definitions, and several that will even send a suspicious program (with the user's permission) back to the anti-virus software/firewall manufacturer for deeper analysis when that becomes necessary.

And even that, those solutions haven't been successful at blacklisting every malware site, or guaranteeing that the user won't download and install themselves a cute screensaver program -- along with the latest Gator program or the very latest suite of malware programs. So if BLADE is doing anything new, or doing it better than anyone else, that's not clear from the article (although, I've got to hand it to them, even without a working downloadable demo, they've been quite successful at publishing duplicate news about themselves through Slashdot, so if they have a scripted solution for Slashdot submissions, at least that part seems to be working just fine).

Re:Prior art (1)

mlts (1038732) | more than 3 years ago | (#33855480)

We have those solutions (BlueCoat for one). However, most of the infections don't come from sites with good network security admins that have the budget for those appliances. Some malware gets past the firewalls (likely someone deciding they can tether their corporate PC to their cellphone and download pr0n that way) hits a company with competent network admins, the IDS blows, then the offending machines will be booted off the switch and shunted to a remediation server so fast, the bits will fly.

The infections come from Joe Sixpack with his cable connection, no firewall except for the Windows default (which perhaps he or malware switched off), an expired antivirus subscription of whatever was on the PC when he bought it from the Big Box store, and Joe's absolute lack of caring about security whatsoever. These are the people that keep Best Buy in business when Geek Squad has to go over to someone's place every 3-6 months and put a new OS on the machine (charging for a new copy of Windows).

Joe Sixpack doesn't care to spend money on security, which is why his machine isn't behind a home router. He just wants the minimum it takes to drool over the nudie pics, send E-mails to buds, and get himself banned off of chat channels. The money he should be spending for security he would rather spend on more Bud Light six packs.

BLADE and such are good, but this technology needs to be pushed onto Joe and be made part of the os. This way, he sees a dialog that the boobie site he is looking at is trying to download something to his computer and kick off an executable. At least here, he will call someone up who might half a clue and several more teeth to ask about it before clicking "OK" and crushing another can of the Silver Bullet on his forehead.

Re:Prior art (1)

alexandre_ganso (1227152) | more than 3 years ago | (#33855012)

sounds like what every anti-virus should be doing.

Re:Prior art (1)

mlts (1038732) | more than 3 years ago | (#33855560)

I'd rather have it part of the OS. Almost all the functionality of antivirus programs should be at a lower level, although having signature scanning and the host based IDS available from different vendors will make it harder for a blackhat to make a "one size compromises all" piece of malware.

Ideally, it would be nice to have some features as part of the OS, including (but not limited to):

IP blacklisting. Of course, stuff can be whitelisted, but having the ability for a machine to grab a database of IPs that would be blocked at the kernel level would prevent malware from phoning home if it didn't have admin/root access.

An IDS. False positives would drive users batty, of course, but it would be something more knowledgeable users would be able to turn on.

Sandboxie, or the ability to redirect writes to a dedicated folder. This way, some malware thinks it has admin rights and can take its toll on the machine, when in reality, all it is doing is crapping in its little playpen, and not infecting the machine. This is a feature that should be in all operating systems and enforced from the hardware level up. This wouldn't be true virtualization, but just enough to an application can read from the OS and its filesystems, but allow all writes to be redirected to an undo log.

And of course as the ultimate step against malware, all operating systems need backup and restore functionality. This includes snapshots (so open files can be saved), encryption, synthetic fulls (so users don't have to care about full/differential/incremental), and so on. Ideally, OS media shouldn't even be needed for a bare metal -- after a confirmation that even Joe Sixpack will understand, the BIOS should be able to kick off the restore process.

Interesting idea (1)

improfane (855034) | more than 3 years ago | (#33853756)

But the data available to the browser and the programmability of the web browser must be inconsistent - there must be something that a webpage can do that is impossible to detect whether or not a human or a computer did it.

Take clickjacking for example, you trick people into clicking somewhere.

Although I love the idea. This could be extended to be social too: how many people ACTUALLY initiated this installation compared to it happening by itself? If nobody initiated it themselves, you can safely brand it malware (and apply pressure to organizations who do not provide non-invasive installers)

Re:Interesting idea (1)

mysidia (191772) | more than 3 years ago | (#33853972)

This raises an interesting question... if the software relies on user stupidity to click 'Yes' to a bunch of security warnings, is it really malware?

Re:Interesting idea (1)

EvanED (569694) | more than 3 years ago | (#33855306)

But the data available to the browser and the programmability of the web browser must be inconsistent - there must be something that a webpage can do that is impossible to detect whether or not a human or a computer did it.

I saw the BLADE talk at the CCS conference this past week where it was published, and they at least claim that they can tell. What they say is that they actually look at the physical input from the mouse & keyboard to determine whether the user explicitly downloaded something. (If not, they quarantine it so it can't be executed.) Basically the only way around that is to compromise the OS, at which point you can't really do anything.

No faking events to forge clicks on OK or whatnot.

Take clickjacking for example, you trick people into clicking somewhere.

The web page can trick the user into consenting to download an EXE and running it, but their goal isn't to prevent attacks like that. Drive-by-downloads explicitly don't require user interaction.

Shenanigans! (1)

webmistressrachel (903577) | more than 3 years ago | (#33853762)

This is stupid. Consider the following scenarios:

1) I use Firefox to dl malware on purpose. I double click on it in download manager, and answer yes. BROWSER launches the process. It installs.

2) I am hit by a drive-by website. BROWSER launches the process. It installs.

How the hell is this vapourware supposed to know the difference between my clicks and the browsers imaginary clicks? (for want of a better metaphor...)

Re:Shenanigans! (1)

Peeteriz (821290) | more than 3 years ago | (#33853804)

Track the dialog-boxes that are shown on screen and your mouse clicks from a separate application that is (hopefully) invulnerable to whatever the webpage can do to your browser.

If the standard dialog-box was not shown on screen and the mouse didn't click there, then block the download.

Mod up (1)

EvanED (569694) | more than 3 years ago | (#33855320)

This isn't speculation (or if it is, it's very good speculation); this is what BLADE actually does.

(I'm not sure if they use a separate application or a OS-level driver or what, but the basic idea is there: if the user moved the cursor over the "save" button on the download dialog, the user requested it. If not, then the user didn't request it.)

Re:Shenanigans! (1)

John Hasler (414242) | more than 3 years ago | (#33853812)

Why should it? You've established that you want malware, so it lets you have malware.

Re:Shenanigans! (1)

webmistressrachel (903577) | more than 3 years ago | (#33853904)

lol I'm not implying that I do. In fact, I am without problems of this kind, including Norton and other forms of malware... However, we all know the dancing monkey problem by now, and I was merely illustrating that there's no way to discern between the two methods of recieving malware available with current browsers.

Re:Shenanigans! (1)

webmistressrachel (903577) | more than 3 years ago | (#33853936)

And yes, spelling Nazis, I have now noticed my i - before - the - e - except - after - c mistake and wished I'd used Preview!

Re:Shenanigans! (1)

hedwards (940851) | more than 3 years ago | (#33854690)

I'm trying to establish why this is better than a sandbox. I suppose this is an onion thing and really intended to go side by side with something like Sandboxie [sandboxie.com]

It's better the devil you know... (2, Insightful)

Anonymous Coward | more than 3 years ago | (#33853786)

The day the army/navy/government are responsible for my 'defence' online is coming. It's a red-pill blue-pill thing and I think I will prefer to keep the status-quo, chancing it with the malware from the safety of my linux PC. Running to the military to 'protect me' is simply naff, particularly online.

Re:It's better the devil you know... (1)

jonbryce (703250) | more than 3 years ago | (#33854988)

Law enforcement does have a role to play, though obviously it is not the whole solution. These attacks are no longer carried out by script kiddies for the hell of it. They are well organised criminal gangs who do it to make money. The criminal gangs who ram-raid banks and shops selling high value items are something the police etc deal with, even though the banks and shops concerned take security measures to try and make life more difficult for them. These people, or at least some of them are raiding banks electronically, and law enforcement needs to deal with them. And even if your system is completely secure, you still need to deal with all the rubbish arriving at port 25 and at any web-forms you have on your website, so everyone is a victim.

spineless monkeys send in senior fearmonger (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33853794)

Former CIA director Gen. Michael Hayden tells CNN's Candy Crowley he's "surprised" that a new poll shows that the American public is increasingly worried that a terrorist attack could happen in the next few weeks.

'funny' we haven't met ANYONE who shares that sentiment. they've stopped ducking in europe now, when the monkeys toss a terrifying turd in their direction, to cover up killing more innocent bystanders. talk about domestic terrorists? no? does anyone remember who hitler's favorite enemy was. hint: it wasn't the jews, they just got killed.
;

What the fuck (5, Insightful)

Anonymous Coward | more than 3 years ago | (#33853818)

You need a special tool to not automatically download and run the first program your web browser sees?

Downloads shouldn't start automatically. Downloads shouldn't run automatically.

Yet even sourceforge doesn't provide copy and paste friendly download links anymore. It's got to automatically start your download for you because you're just too fucking lazy to make one more click.

BADBDE. Fail.

Re:What the fuck (2, Interesting)

Yvan256 (722131) | more than 3 years ago | (#33853876)

I'm guessing they want to prevent other websites from linking to the downloads directly and have them link to the project webpage instead.

Re:What the fuck (3, Insightful)

MobileTatsu-NJG (946591) | more than 3 years ago | (#33854068)

Yet even sourceforge doesn't provide copy and paste friendly download links anymore. It's got to automatically start your download for you because you're just too fucking lazy to make one more click.

Actually that's an extra stop to serve you ads.

Re:What the fuck (3, Insightful)

Arker (91948) | more than 3 years ago | (#33854192)

Yeah, this thing (even if it werent vapour-ware) is papering over the problem many layers up, instead of fixing it in the first place. If a browser permits "drive by" downloads like this, it's got a bug, and it should be fixed there. (And yes, firefox is incredibly buggy in this regard, but at least it's easily patched with extensions.)

3rd Party (2, Insightful)

DrYak (748999) | more than 3 years ago | (#33855080)

If a browser permits "drive by" downloads like this, it's got a bug, and it should be fixed there.

But it can't be fixed there.
If you RTFA, you'll notice in their stats that the largest proportion of all threats exploit bugs in Adobe Acrobat and Flash plugins.
No amount of coding in Firefox can fix bugs in Adobe software, short of reverse engineering the plugin and applying binary patches on load to fix it (which should be considered a violation of the plugins license, in the jurisdiction where Firefox' development is happening)

The only real long-term solution would be to completely drop the proprietary plugins in favour of open-source alternative.
(There are already tons of PDF viewer software which is less buggy, among which lots of opensource contenders (anything poppler-based). Now just hope that Gnash and Lightspark become good replacement soon).

Re:What the fuck (2, Insightful)

Lord Ender (156273) | more than 3 years ago | (#33855162)

Modern security relies on the wise supposition that there are and will always be flaws, therefore multiple layers of protection are employed to minimize the possibility of those flaws affecting you. This is called "defense in depth."

Re:What the fuck (4, Informative)

sela (32566) | more than 3 years ago | (#33854814)

You are right, download shouldn't run automatically. And actually, no browser intentionally allows downloading programs automatically.

Unfortunately, internet browsers are a quite complex piece of software which connects to a lot of other complex libraries, and each of these software elements may contain security vulnerabilities, used by exploits that download and run malicious code. The idea is this: some hacker find out about a security bug in some windows library (which could be a result of things like a buffer overflow bug), such as the library that displays some file format (WMF, AVI etc.), ActiveX, JavaScript etc., and then embed in a website some file that uses this exploit ( windows metafile, embedded video etc.). Such vulnerabilities are being discovered all the time, and Microsoft keeps releasing new security patches that fix these bugs, but from the moment the bug is discovered to the moment you download a security update there is enough time where your computer is exposed to such exploits.

I don't think it is realistic to expect software to be free of such vulnerabilities. Every OS got them. Fortunately for people using other OSes such as Linux, it is not targeted as much as Windows by hackers because it is not as common as a desktop OS, and the fact that most users do not run as admins also helps to reduce the potential damage of a malware. I believe there are other ways to reduce exposure to such exploits: for example, use data execution prevention and use a sandbox to isolate the browser and all the libraries it uses from the rest of the system. However, you need to design the system from ground up to be able to implement these measures properly.

Re:What the fuck (1)

REggert (823158) | more than 3 years ago | (#33854904)

Drive-by downloads are not typically downloaded by your browser (except in the case of exploits targeting vulnerabilities in the browser itself). They are usually downloaded by browser plugins (such as Flash, Adobe Reader, various ActiveX controls, etc.) that contain vulnerabilities that are exploited (either via JavaScript or by specially crafted media files), and the payload of the exploit (the "shellcode") downloads and executes some Trojan EXE. It has absolutely nothing to do with downloads that are initiated by your browser via Java Script (which must always be authorized by the user in all major browsers, generally via a Save/Open/Cancel dialog).

Interesting... (1, Interesting)

metrix007 (200091) | more than 3 years ago | (#33853824)

If AV's were not so useless and purely reactive, they would be doing this in the first place. Maybe it will be adopted into them.

Of course, this would not be needed if we could educate people to keep everything updated with security patches, and not let random programs run as admin.

I'm just waiting for Linux and OS X to inevitably catchup once they become viable targets.

Re:Interesting... (4, Insightful)

pspahn (1175617) | more than 3 years ago | (#33854132)

I'm just waiting for Linux and OS X to inevitably catchup once they become viable targets.

I'd say that Linux is already a pretty juicy target. Sure it isn't running on most users' machines, but it does tend to be running on machines that do fairly important things. It already is a target, it's just that it isn't operated by the typical person that likes to lick digital doorknobs.

Re:Interesting... (1)

metrix007 (200091) | more than 3 years ago | (#33854316)

It's a target, and a lot of installs tend to have way more vulns than windows. It just doesn't have the marketshare to make developing malware for it viable.

Re:Interesting... (1)

Noughmad (1044096) | more than 3 years ago | (#33854760)

Yeah, who cares about servers anyway...

Re:Interesting... (0, Troll)

jedidiah (1196) | more than 3 years ago | (#33855308)

...yes, because we all know that virus writers have never targeted little known and obscure platforms before.

This rationale only makes any sense if you see the whole world as Windows, are aware of nothing else, and just fell off the turnip truck yesterday.

Re:Interesting... (1)

sela (32566) | more than 3 years ago | (#33854842)

OTOH, those machines that run Linux and do fairly important things are not used for browsing the internet. Linux serves are a target for hackers. Linux desktop isn't.

Re:Interesting... (1)

jonbryce (703250) | more than 3 years ago | (#33855016)

Linux handheld increasingly is a target though. Android is I believe the second most popular operating system on phones capable of being used for web browsing behind Blackberry (though IOS has the highest market share of actual browsing sessions), plus there is Palm's WebOS and a few others from other suppliers.

Easiest option: (2, Insightful)

twidarkling (1537077) | more than 3 years ago | (#33853840)

How about instead of having some program trying to figure out who's installing a program, how about no program can install another program? Download only, and it sits harmlessly until the user specifically goes, finds it, and runs it. In fact, have at the OS level, a captcha that needs to be filled in before a program installs. How's that? Think that'll stop anything? Probably work better than BLADE any way.

Re:Easiest option: (2, Informative)

eulernet (1132389) | more than 3 years ago | (#33854494)

Try Comodo Personal Firewall, it already warns when a new program tries to install on your computer, and it's free.

Re:Easiest option: (1)

jonbryce (703250) | more than 3 years ago | (#33855022)

Or howabout something more simple like sudo?

Re:Easiest option: (1)

tomhath (637240) | more than 3 years ago | (#33854584)

how about no program can install another program? Download only, and it sits harmlessly until the user specifically goes, finds it, and runs it.

Because "user...runs it" really means "user runs a program that runs it"; i.e. user runs a program that could have an exploit which fills in the captcha and installs the malware.

I was a bit surprised that the Applications Targeted by Drive-By Exploits graph indicates Java about 25% of the time, roughly half the rate of Internet Explorer. And I dislike Adobe software even more after looking at that graph.

Re:Easiest option: (4, Insightful)

znerk (1162519) | more than 3 years ago | (#33855176)

How about instead of having some program trying to figure out who's installing a program, how about no program can install another program? Download only, and it sits harmlessly until the user specifically goes, finds it, and runs it. In fact, have at the OS level, a captcha that needs to be filled in before a program installs. How's that? Think that'll stop anything? Probably work better than BLADE any way.

If I understand you correctly, you're talking about removing the ability to shell out another executable from within an executable. After all, what, exactly, is the difference between an installation app and a regular app?
They both have the ability to modify the Windows registry, output arbitrary data to arbitrary locations, etc - how do you think MS Paint saves that picture file your 3-year-old made by facerolling the keyboard and beating the family dog with the mouse?

"Fine," you state, "just disable the ability for an executable to start another executable, then."

Unfortunately, killing the methods of shelling out to an app would destroy most operating systems' functionality - after all, the kernel is an executable that runs other executables (such as the graphical shell you think is your OS), directly or indirectly.

"Sure," you say, "we can just make it so the kernel can do it, but nothing else."

Ok, now what do you do when *you* want to launch an executable, say by clicking a representation of its logical address located in that previously-mentioned graphical shell (ie, your desktop)?

"Well, we can just let the kernel and the rest of the OS do its thing, then," you respond.

Where do you draw the line?
Photoshop executes a dozen processes when it starts up.
Hitting a flash-enabled website in your browser can launch dozens of processes.
Javascript is "executable code".
A slightly looser definition of "executable code" could include HTML.

In short, this is not the correct direction to be looking for an answer in; your post getting a "+5, Insightful" amazes and bewilders me.

Mod Parent Up (1)

Late Adopter (1492849) | more than 3 years ago | (#33855458)

This is exactly the problem.

Re:Easiest option: (0)

Anonymous Coward | more than 3 years ago | (#33855300)

Microsoft tried this. UAC in Vista. It was universally panned.

Re:Easiest option: (0)

Anonymous Coward | more than 3 years ago | (#33855516)

you are describing application whitelisting, like this [bit9.com]

Is this another Windows-only problem? (3, Interesting)

Yvan256 (722131) | more than 3 years ago | (#33853852)

Are there any other OS vulnerable to drive-by downloads? Funny how they rarely mention which OS are affected.

I'm guessing Mac OS X and Linux are both better protected since the OS can't initiate a program installation and then run it without the user permission.

Re:Is this another Windows-only problem? (0)

Anonymous Coward | more than 3 years ago | (#33854050)

Don't worry: that's changing as more windoze programmers get their fingers in those as well.

Re:Is this another Windows-only problem? (1)

Renraku (518261) | more than 3 years ago | (#33854070)

I would have figured Macs to be a hotbed of virus activity, but there just aren't that many viruses that target Macs, because PCs are just too big of a market share. My reasoning is because Macs 'just work' which means that it should be a lot easier for that virus to 'just wok' with little-to-no user interaction. Of course, there are/were plenty of ways to install something without the user knowing on Windows.

It used to be so bad that simply connecting a bare vanilla Windows XP machine to the network and turning the computer on would get you some kind of worm and your PC would join its brethren bots.

Re:Is this another Windows-only problem? (2, Informative)

jonbryce (703250) | more than 3 years ago | (#33855026)

Macs "just work" once you tell sudo your password. If I see the sudo box when I'm not expecting it, hitting the cancel button is much easier than typing in my 15 character password.

Re:Is this another Windows-only problem? (1, Interesting)

Anonymous Coward | more than 3 years ago | (#33854476)

All of our clients have been running their Windows systems with "Limited User" rights for a decade or more (except the few cases where this is not possible due to poorly written software) and we've never seen a drive-by download nor malware infection in any of these Limited Rights systems.

You cannot blame *any* OS for poor administrator configuration of rights. Blame the sysadmin.

Re:Is this another Windows-only problem? (2, Insightful)

Arker (91948) | more than 3 years ago | (#33854534)

No, I blame the culture of blobware there. Why do you think so many programs are 'poorly written' and why cant they be fixed? They are poorly written because their roots go back to when the MS OS didnt have any concept of a limited user or a security model at all. You cant fix the issue because, in the MS world, you dont actually get any software - you get a binary blob. ANY modifications, bug-fixes, etc. have to come from the vendor. If the vendor doesnt see a profit in it, they wont do it, and you are stuck with it. That is the MS way, and it can still sting even the most knowledgeable and diligent admin when forced to rely on blobware.

Re:Is this another Windows-only problem? (2, Interesting)

Gadget_Guy (627405) | more than 3 years ago | (#33855232)

They are poorly written because their roots go back to when the MS OS didnt have any concept of a limited user or a security model at all.

That isn't the answer. Windows NT introduced the idea of user permissios back in July 1993. If you wanted to be able to use the official "Written for Windows" certification (or whatever it was called at the time) then your software had to work as a limited user. If developers adhered to Microsoft's programming guidelines they would have got rid of the full-access assumption years ago.

And if developers had done this, then we would have all been running as standard users long before Vista. Even then, they only got this to work by crippling the administrator account into a semi-limited user mode.

Re:Is this another Windows-only problem? (0)

Anonymous Coward | more than 3 years ago | (#33855168)

Downloads? Yes, all OSes and browsers are vulnerable, within limits (Javascript FTW). Downloads to arbitrary locations, arbitrary code execution, and local-user installation? Sort of. OSX is extremely vulnerable, and Windows & SELinux are mostly safe.

Low-IL processes ([1] [uninformed.org] [2] [wikipedia.org] [3] [mozilla.org] ) in Windows can't run or do much of anything (it can DoS the user, I guess, or read & transmit data). I said mostly safe because there are still weaknesses: unsafe application security/rules, communication with other protected but insecure processes or objects (including system services), driver exploitation via user-mode driver DLLs, et cetera.

Re:Is this another Windows-only problem? (0)

Anonymous Coward | more than 3 years ago | (#33855478)

arbitrary code execution

Above should read, arbitrary user-level program execution. Code execution can happen in all contexts, obviously, and isn't prevented by SELinux or process integrity settings.

Maybe China is right? (0)

Anonymous Coward | more than 3 years ago | (#33853918)

It seems that if you Ukrain, US and UK were all blocked more than half of the malicious exploits would be blocked too...

how about just flipping the damn default? (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33854006)

Most people's default: "Sure, random untrusted entity, run anything you want on my system!"

Sane people's default: "I'll run it if I have a reason to and it is reasonably known to be safe."

Guess which group seems to be the one having, and causing, all the problems? Guess which group doesn't need "drive by download blockers"?

I swear, the world is positively insane. It hits itself in the thumb with a hammer, gets upset at the pain, and instead of just - you know - not swinging the hammer, it hires an expensive large muscle-bound man to stop the hammer in mid swing... as long as he's had his morning coffee and is quick on the draw.

Re:how about just flipping the damn default? (0)

Anonymous Coward | more than 3 years ago | (#33854224)

"Drive by download" is just a made up excuse by people who don't want to admit to what they were doing when they installed some malware yet again. Even malware is a made up term, which tends to be defined as any software I don't like after I finally notice what the software actually does, for which of course I didn't read the license agreement I agreed to.

Hey look, this website is telling me I have a catastrophic security error and I need to install this drive by download blocker, one of those must be true, so I better do that right now!

Re:how about just flipping the damn default? (4, Interesting)

znerk (1162519) | more than 3 years ago | (#33854660)

"Drive by download" is just a made up excuse by people who don't want to admit to what they were doing when they installed some malware yet again.

Yeah, like the user moving their mouse out of the way to read the text of an article, and coincidentally mousing over an ad purchased by a malware distributer that *looks* legit, and is on a legit site, but is actually just a method to throw their nasty bot into the download stream.

And before you protest that you've never seen that happen, I would like to inform you that I have - with my own eyes. Anecdotal evidence aside, this is factual to me.

More and more frequently, I'm seeing people saying that Windows is the primary security risk on the internet. Perhaps we should look into that.

Re:how about just flipping the damn default? (1)

hedwards (940851) | more than 3 years ago | (#33854730)

Drive by downloads are definitely real. I've had them. The only reason why I didn't get infected was that I was running the browswer in sandbox [sandboxie.com] with an antivirus program which blocked it before the file was run. All I had to do was click a link to an infected site.

Re:how about just flipping the damn default? (1)

Diantre (1791892) | more than 3 years ago | (#33854856)

I recently got one of thos fake AV, and I never clicked anything. It's not like they ask you all the time. No, I did not download SpecialVideoCodec.exe from searching "Extreme Midget Fart Porn XXX" on google. I was browsing a forum on cats and I suddenly had MalwareDoctor installed. Luckily I somewhat know my way around computers and only saw this as a challenge.

Great Idea (1)

shoehornjob (1632387) | more than 3 years ago | (#33854046)

But unless it's included in a Windows update it's useless. This is a band aid for the real problem: users have a plug and play mentality and don't give a shit about computer security untill they are infected. The only way you can win is to educate the younger generation and hope they don't make the same mistakes their parents have made.

I'm not trusting something government funded.... (3, Insightful)

Zapotek (1032314) | more than 3 years ago | (#33854094)

...that puts everything I access on the WWW under scrutiny.
Why should anybody?

Re:I'm not trusting something government funded... (1)

DragonTHC (208439) | more than 3 years ago | (#33854694)

stop visiting NAFLA sites.

The guy at the Apple store was right (0, Troll)

rshxd (1875730) | more than 3 years ago | (#33854112)

My $7000 Apple workstation, that has the same specs as my system at home that I paid $2000 for, doesn't get viruses! Apple store guy you were so right!

Re:The guy at the Apple store was right (1)

Logic Worshipper (1518487) | more than 3 years ago | (#33854314)

So right! You could just save yourself $5000 and run Linux.

Oh joy... (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33854204)

So now the browsers don't ever have to fix their bugs.

Backronym (3, Funny)

Asgerix (1035824) | more than 3 years ago | (#33854230)

The first version of their tool was called "BLock All Drive-by Download Exploit scRipts" - or BLADDER. For some reason it was not very popular.

Wasn't this called Tron some years ago (0)

Anonymous Coward | more than 3 years ago | (#33854272)

couldn't resist

How long has Spybot Search and Destroy been out? (1)

Maintenance Goof (1487053) | more than 3 years ago | (#33854276)

Because http://www.safer-networking.org/en/spybotsd/index.html [safer-networking.org] has been giving away pretty much this function for years.

Re:How long has Spybot Search and Destroy been out (1)

Diantre (1791892) | more than 3 years ago | (#33854864)

Unless the malware program actually deletes Spybot as well as AVG and also changes your DNS so it redirects to a phony chinese search site instead of Safer Networking's site. This happened to me not long ago.

Re:How long has Spybot Search and Destroy been out (1)

znerk (1162519) | more than 3 years ago | (#33855492)

Unless the malware program actually deletes Spybot as well as AVG and also changes your DNS so it redirects to a phony chinese search site instead of Safer Networking's site. This happened to me not long ago.

For me, SpybotSD has been more of a preventive measure than a fix-it tool. Same for AVG, actually. You're supposed to install them *before* you get infected.

The other side: (1)

Don'tBAWank! (235635) | more than 3 years ago | (#33854448)

what's to stop "the authorities" from using this s/w to prove that you intentionality committed an illegal act on your computer?

or instead... (0)

Anonymous Coward | more than 3 years ago | (#33854482)

You could just use Chrome.

No thanks! (0)

Anonymous Coward | more than 3 years ago | (#33854714)

I think this is just another attempt by the government to monitor the internet.... I would want assurance that what I'm downloading stays on my system and nothing gets sent to some "Big Brother" Database. If it can block these "Drive-By Downloads" it can secretly transmit data from any download. I see this a possible security violation.

Firefox Addons should be in all browsers... (1)

RichM (754883) | more than 3 years ago | (#33854816)

What is wrong with Noscript?

Re:Firefox Addons should be in all browsers... (0)

Anonymous Coward | more than 3 years ago | (#33854960)

As a fan of NoScript (the only plugin that *really* keeps me with firefox), I can tell you this: it's too hard to use for normal users. Same will probably be the case for this tool, if it has to be installed by the user, though.

Re:Firefox Addons should be in all browsers... (2, Insightful)

znerk (1162519) | more than 3 years ago | (#33855510)

As a fan of NoScript (the only plugin that *really* keeps me with firefox), I can tell you this: it's too hard to use for normal users.

Yeah, because Joe User can't be bothered to learn the following sequence:

1: Notice that an element of the page isn't "working as intended".
2: Click the little "S" icon in the bottom-right-hand corner of the browser.
3: (this is the one causing the most issues with NoScript usage, IMHO) select only the bare minimum of sites to allow scripting from (typically the one in the address bar, duh)
4: Profit! (view your youtube videos without most of the additional crap/ads/whatever)

Unfortunately, my experience is that the typical response to "my youtube is broken!" is to either "allow all this page" or close FF and use IE...

Use Sandboxie to Virtualize Browser in Windows (4, Informative)

ad454 (325846) | more than 3 years ago | (#33854958)

I am not much of a WIndows user, but for all of my friends, family, and colleagues that do run Windows, I install Sandboxie on their machines. SandBoxie allows their E-mail clients and Web Browsers to run within Virtual Machines that prevents direct disk access:

http://www.sandboxie.com/ [sandboxie.com]

In addition, I also recommend installing FireFox with NoScript, AdBlock Plus, and Certificate Patrol addons on all platforms (Windows, MacOSX, Linux, *BSD, etc.) in order to minimize attack and spoofing vectors, which are typically JavaScript & Flash based.

Using SandBoxie, Firebox, and the above mentioned addons seems to be a just as good, if not a better solution, that the tool mentioned in the article. And they are all available now for free!

ROFL (3, Insightful)

znerk (1162519) | more than 3 years ago | (#33855028)

Clicked the link to "interesting display of the infection rate of different browsers", and got

Hi. Javascript is turned off in your web browser. Good for you!
Ironically, to view our analysis results you do need to enable Javascript.
We promise not to bite.

Aside from the question of why I would need to enable Javascript to view their results, I found it highly amusing... and disturbing.
Kinda gave me the feeling of
"We're not doing anything evil, we promise! Oh, and we need you to let us inside your system's security before we'll give you any information".

Not exactly inspiring any confidence, here.

For instance, why isn't your page dynamically generated server-side, if you're trying to promote safe browsing practices? Oh, right, because you're not; you want me to buy your software...

I think I'll stick with NoScript and AdBlockPlus, thanks - they don't cost anything.

Re:ROFL (1)

znerk (1162519) | more than 3 years ago | (#33855064)

Also, I find it interesting that Chrome isn't listed in their statistics (after I hit the link with a snapshotted VM's browser) - despite that I have seen systems with apparent drive-by infections with no IE link on the desktop, quicklaunch, or start menu, no firefox installed, and a shortcut to chrome on the desktop labelled "Internet". Maybe the user was lying as to the source of infection.

Yeah, No Chrome.... (1)

c1ay (703047) | more than 3 years ago | (#33855206)

no Opera or any browsers besides IE6, 7 & 8 and FF3. If that's all their browser stats are based on then I'd say all of their reports stats are questionable.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...