Stopping Stealthy Downloads
A new tool blocks files that try to install without alerting the user.
Researchers at SRI International and Georgia Tech are preparing to release a free tool to stop “drive-by” downloads: Internet attacks in which the mere act of visiting a Web site results in the surreptitious installation of malicious software. The new tool, called BLADE (Block All Drive-By Download Exploits), stops downloads that are initiated without the user’s consent.
“When your browser is presented with an [executable file] for download, it’s supposed to prompt you for what to do,” said Phil Porras, SRI’s program director. But software can also be pushed onto an unsuspecting user’s computer without ever asking for permission.
In the fourth quarter of 2009, roughly 5.5 million Web pages contained software designed to foist unwanted installs on visitors, according to Dasient, a firm that helps protect websites from Web-based malware attacks. Such drive-by downloads target computers that are not up-to-date with the latest security patches for common Web browser vulnerabiltiies, or are missing security updates for key browser plug-ins, such as Adobe’s PDF Reader and Flash Player. Attackers use software called exploit packs, which probe the visitor’s browser for known security holes.
The research group has been putting BLADE through the paces since January, exposing a few virtual desktops equipped with the software to new exploit sites identified each day by security experts. Each malicious URL is tested against multiple software configurations covering different browser versions and common plug-ins.
So far, Porras said, BLADE has blocked all of the more than 5,150 malicious programs foisted by some 1,205 unique drive-by URLs tested. During the test period, Adobe’s PDF Reader was by far the most-targeted browser plug-in, accounting for more than half of the applications targeted by drive-by exploits. Sun Microsystems’s Java platform attracted nearly one quarter of all drive-by attacks, while the bulk of remaining exploits targeted vulnerabilities in Adobe Flash and Internet Explorer.
Robert Hansen, chief executive of the Austin, TX-based security firm SecTheory, said BLADE’s approach appears unique, and that it may be effective at stopping drive-by downloads in the short run. That is, he said, until the technique is widely incorporated into commerical products. “Tools like this are great–they’re another layer of protection, but they certainly aren’t a panacea,” Hansen said.
The true measure of a security tool’s usefulness is often whether it runs on a wide range of systems without interfering with other software, Hansen said.
“This may work fine when you have it in the lab, but it’s another thing when you try to deploy something like this on peoples’ computers,” Hansen said. “In fact, I could see something like this easily breaking the functionality of some leigitimate software applications.”
Indeed, legitimate programs designed to automatically download security updates could encounter problems with a program like BLADE, said Eric Howes, director of research services at Sunbelt Software, a security company based in Clearwater, FL. “I would be especially concerned about potential false positives on other applications that perform background [software] updates or download stuff in the background.”
BLADE certainly can’t stop all Web-based malicious software, either, Porras admits. It cannot, for example, stop social engineering attacks, in which a user is tricked or bullied into installing a malicious program. The “Koobface” worm, for example, spreads on social networking sites such as Facebook and prompts recipients to download a video player plug-in in order to view a picture or movie supposedly sent by a friend. BLADE would do nothing to block such attacks because they ultimately prompt the user to install the bogus plug-in, which is in fact malicious software that gives attackers complete control over the victim’s PC.
BLADE also is useless against threats that reside completely inside of a computer’s temporary memory space, as the tool is designed to block malware that tries to write to the computer’s hard drive. While most malware is written to the hard drive, there are some advanced threats that live only in memory.