Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Defeating Drive-by Downloads in Windows - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Defeating Drive-by Downloads in Windows

The Problem

Drive-by Downloads have been a problem for a number of years now. This avenue of attack has become more popular as attackers have developed more techniques to direct visitors to their exploit websites. The three most common scenarios are: Search Engine poisoning, malicious forum posts, and malicious flash ads. These are complex, multi-step attacks that build upon each other to eventually install some sort of malware on the victim's machine. I call this series of steps the "Chain of Compromise" (I've also heard this described as the kill-chain.) It's our job as the defense to break that chain as early as possible. If we allow it to complete, then we have a real incident on our hands.

Countermeasures

There are a number of system countermeasures that you could use to defeat drive-by attacks. I've got an incomplete list below comparing their average cost to install, both monetarily and a vague measure of the amount of technical effort required.

 

Countermeasure

Cost

Tinker-Factor

Anti-Virus

Free to $80 USD

Low

Web-filter

Free to Thousands

Medium to High

Alternative Browser

Free

Low to Medium

No-script

Free

Medium

Adblocker

Free

Low

Flashblock

Free

Low

OpenDNS

Free

Medium

Alternative Document Viewer

Free

Low to Medium

Executable Whitelist

Free to Hundreds

High

Full-proxied Environment

Hundreds to Thousands

Medium to High

 

  • Anti-Virus: not much to say about this, everyone has it now, and it's the countermeasure that gets the most attention by attackers. It's easily evaded with minimal effort.

  • Web-filter: this could be on the system itself, or injected through a web proxy. Free options include K9

  • Alternative Browser: something other than IE or Firefox. By moving to a less-popular browser you stepping out of the line of fire in most cases. At least is reduces your attack surface to your office/document viewers (e.g. Flash, Acrobat, etc.)

  • No-script: allows you to block execution of javascript on new/unknown sites.

  • Adblocker: typically used to avoid annoying advertisements, a bit controvertial since websites are supported by their ad revenue, but more often becoming a necessity due to poor quality-control/security-measures by ad-servers.

  • Flashblock: like no-script, but for flash. Allows you to run flash when you need it, and block it from unknown/unexpected sources.

  • OpenDNS: if you use OpenDNS for your domain name resolution, it can block requests to suspicious/malicious destinations.

  • Alternative Document Viewer: use an alternative PDF viewer to avoid a number of Adobe Acrobat vulnerabilities and avoid executing unnecessary code. You'll likely lose the ability to use interactive PDF forms, but you could always keep a copy of Acrobat Reader handy for the few times you need it.

  • Executable Whitelist: this is ideal defense against unknown code executing on your system. It's also extremely difficult to maintain over time.

  • Full-proxied Environment: don't let your systems have direct access to the Internet. Proxy all out-bound requests. This is extremely effective against most backdoors and infected systems reaching out to command and control servers via something other than HTTP/HTTPS (those ofen hijack the browser for this purpose and thus inherit the proxy settings.)

Now we'll see how these countermeasures stack up against the attackers in a few scenarios.

Scenario 1: Search Engine Poisoning

In our first scenario, the attackers have set up a network of compromised websites that redirect the visitor to one of their exploit servers. The exploit server has some javascript on it that effectively scans the potential victim for the versions of the browser, java, flash, and PDF client. Based on the results of the scan and the geo-location of the victim's IP address the exploit server launches a targeted attack against any vulnerable browser, java, flash or PDF client on the system. If this attack is successful, the victims machine will download a payload from their payload server. This is exploit-as-a-service, where this criminal group offers the delivery of another criminal group's payload to a certain number of IP addresses in a certain geographical region. This is how they make their money: they build an maintain the infrastructure of redirect servers, exploit servers, and download servers, this infrastructure is then rented out to other groups. In addition to building the infrastructure, they also spend a lot of time promoting their redirect sites in common search engines.

So, in our scenario, our victim goes to their favorite search engine looking for "holiday cookie recipes" and in their search results are a number of links that lead to one of our attacker's redirect sites. Let's say the victim queues up a number of requests in their browser tabs.

  1. The browser will open up a connection to one of the redirect sites, it will have a meta-refresh, or iframe, or return a 302 to direct the user to the exploit site.
  2. The exploit-site delivers a set of javascript routines to the browser.
  3. These routines identify version information for: the browser, java, flash and PDF reader.
  4. The exploit server returns the exploit that is most likely to succeed.
  5. The victim's application is exploited and commanded to pull down and execute the downloader code (either from the exploit site itself, or the downloader site)
  6. The downloader code is executed on the system, this downloads additional payload and executes this on the victim's system.
  7. Victim's system now needs to be re-imaged.

Use this table below to map out which countermeasures are effective at which stage in the attack. Keep in mind that the earlier you break the chain, the better it is for your environment. Compare this to the costs above and see if you can identify the best defense strategy for this scenario.

 

 

Redirect Site

Exploit Site

Java-script Recon

Browser Exploit

Flash Exploit

PDF Exploit

Download Site

Downloader code

Secondary Payload

Command and Control Established

Anti-Virus

None

None

None

None

None

None

None

Potential

Potential

None

Web-filter

Potential

Potential

None

None

None

None

Potential

None

None

Potential

Alternative Browser

None

None

None

Likely

None

None

None

None

None

None

No-script

None

None

Complete

None

None

None

None

None

None

None

Adblocker

None

None

None

None

None

None

None

None

None

None

Flashblock

None

None

None

None

Complete

None

None

None

None

None

OpenDNS

Potential

Potential

None

None

None

None

Potential

None

None

Potential

Alternative Document Viewer

None

None

None

None

None

Potential

None

None

None

None

Executable Whitelist

None

None

None

None

None

None

None

Complete

Complete

None

Full-proxied Environment

None

None

None

None

None

None

None

None

None

Likely

Scenario 2: Malicious Forum Post

In our second scenario, our same attacker group is hosting an exploit infrastructure and getting paid to install malicious payloads. Instead of using search engine poisoning and redirect sites, they are exploiting vulnerabilities in common forum software to inject iframes into forum posts. Here our victim is reading up on solutions to a pesky automobile problem, and is search internet forums for advice. They happen upon a thread that one of the attackers has placed a malicious comment. This kicks off the series of events very similar to Scenario 1.

 

 

Forum iframe

Exploit Site

Java-script Recon

Browser Exploit

Flash Exploit

PDF Exploit

Download Site

Downloader code

Secondary Payload

Command and Control Established

Anti-Virus

None

None

None

None

None

None

None

Potential

Potential

None

Web-filter

None

Potential

None

None

None

None

Potential

None

None

Potential

Alternative Browser

None

None

None

Likely

None

None

None

None

None

None

No-script

None

None

Complete

None

None

None

None

None

None

None

Adblocker

None

None

None

None

None

None

None

None

None

None

Flashblock

None

None

None

None

Complete

None

None

None

None

None

OpenDNS

None

Potential

None

None

None

None

Potential

None

None

Potential

Alternative Document Viewer

None

None

None

None

None

Potential

None

None

None

None

Executable Whitelist

None

None

None

None

None

None

None

Complete

Complete

None

Full-proxied Environment

None

None

None

None

None

None

None

None

None

Likely

There's really not much different in this table, so an effective strategy targeting malicious search engine results is similarly effective against malicious forum posts

Scenario 3: Malicious Flash Ad

Much like the above two scenarios, but this one differs in how the victim reaches the exploit. In this case, during their lunch hour they browse over to their favorite news website. It's in your company's web-proxy whitelist because it's a "trusted site." Unfortunately, that website's advertisement broker didn't detect the redirect code hidden in the flash ad, so now your victim, who didn't click on the advertisement, is silently redirected to the exploit site.

 

 

Visit Exploited News Site

View Malicious Ad

Exploit Site

Java-script Recon

Browser Exploit

Flash Exploit

PDF Exploit

Download Site

Downloader code

Secondary Payload

Command and Control Established

Anti-Virus

None

None

None

None

None

None

None

None

Potential

Potential

None

Web-filter

None

Potential

Potential

None

None

None

None

Potential

None

None

Potential

Alternative Browser

None

None

None

None

Likely

None

None

None

None

None

None

No-script

None

None

None

Complete

None

None

None

None

None

None

None

Adblocker

None

Likely

None

None

None

None

None

None

None

None

None

Flashblock

None

Complete

None

None

None

Complete

None

None

None

None

None

OpenDNS

None

Potential

Potential

None

None

None

None

Potential

None

None

Potential

Alternative Document Viewer

None

None

None

None

None

None

Potential

None

None

None

None

Executable Whitelist

None

None

None

None

None

None

None

None

Complete

Complete

None

Full-proxied Environment

None

None

None

None

None

None

None

None

None

None

Likely

Example Strategies

My parents' computer was compromised last week by Smart Engine (a FakeAV program.) They were running an up-to-date patched version of Windows 7 running Internet Explorer and anti-virus. So, they really didn't stand a chance. The default strategy of: move to firefox and install no-script wasn't a viable option because I didn't want to have late night phone-calls talking them through how to enable javascript so they could get a random website working. My option was to focus more on OpenDNS and K9 to help keep them from getting redirected to known malicious websites to begin with. Yes, they're machine is likely to get popped again but it's a bit less likely, and I don't have the certainty of increased familial tech-support calls.

If you look at the tables above, you'll note that the average user running Internet Explorer, Shockwave, and Acrobat Reader relying only on Anti-virus doesn't stand much of a chance. On the other end of the spectrum, an environment that relies only upon Executable Whitelist will certainly break the compromise chain, but very late within the event and at a likely-large cost of effort. When we give advice we often recommend, firefox since it can support addons like adblock, flashblock, and no-script. When we make such recommendations it never fails that someone will complain how their environment and circumstances are different. This is the primary motivator behind my capabilities-matrix approach. You can evaluate what countermeasures are appropriate/affordable/possible in your situation and perhaps help determine if the payoff of a countermeasure is worth the investment.

 

Kevin Liston

292 Posts
ISC Handler
You didn't mention HIPS (unless that's coverd under "Web Filter"). In my environment (corporate), most drive-by attacks are blocked at the Web Filter/Proxy, and secondly by the HIPS module of the endpoint/AV software. We are constrained to using IE, and Adobe Reader, and do not currently have Executable Whitelisting-which would both help of course.
Shawn

29 Posts
Not sure how effective, but if the malware servers target specific browsers and operating systems after a query of things like userAgent, browser add-ons that let the user spoof their browser name and version, as well as helper app versions, could provide a little extra security through obfuscation. It used to be that some browsers allowed this functionality with their own built-in menu item, but now it seems like it has been taken out of the ones I'm familiar with. Things like BrowserMasquerade for Firefox, etc.
Shawn
9 Posts
You guys talk like an executable whitelist is a lot of work.

Using Software Restriction Policies via GPO is super easy. If your users aren't admins (which they shouldn't be) then its pretty simple to set things up so that they can execute programs only from locations they can't write to - example: c:\program files

This covers the vast majority of programs. Any one offs can be added to the list either via hash or certificate signing.

We found that this approach took a week or so of effort and maybe a couple time per year i have to modify the policy.

In return, we've had no penetrations since. Sometimes the users download malicious code via a drive-by browser attack, but it never gets to execute. The A/V program cleans the exe file off the disk eventually, when the definitions get updated.

This is the only reliable approach.
Anonymous
What about reduced rights on the desktop? I just bought a new computer with Windows 7 Home Premium and it (as usual) defaults you to Administrator rights. I created a separate administrator account, demoted the regular account to "user" so that if I, my wife or kids runds into a drive-by we'll have a significant layer of protection. I'd imagine that would have helped fend off the Fake AV mentioned above.
Anonymous
How bout not running as Administrator. Simple and certainly easy for users to learn (assuming they continue to use the account with reduced rights on a continued basis). While not 100% effective (nothing is), it is still very effective and free.
Tim

9 Posts
re: Administrator rights.

I'll add it to the table, but it has minimal impact with respect to running foreign code. It may impede things like registry edits to autostart and disable AV, but a user-account can set it's own autostart code and inject into it's own processes.
Kevin Liston

292 Posts
ISC Handler
@Althornin
I'm thrilled that you've made it work. There are too few success stories out there. Can you share your industry and network size? It may help inspire others.
Kevin Liston

292 Posts
ISC Handler
Forgive me if this falls under one of the other categories already, but does turning on DEP (and ASLR if available) count as another measure? At least in XP (still popular) you have to change a default setting to turn it on for all programs. One small extra layer at least...
Kevin Liston
12 Posts
@Shaw and @Robert: good suggestions, I've added them to the countermeasure list.
Kevin Liston

292 Posts
ISC Handler
@roseman: I've added DEP/ASLR too. Thanks for the suggestion.
Kevin Liston

292 Posts
ISC Handler
One strategy not covered is the one I use whenever I surf to a "high-risk" corner of the ‘Net. Sandboxing. I currently use Sandboxie, one of the free sandbox programs available that duplicates the Windows and other commonly attacked structures, then opens up a separate memory space for each browser session. All code is executed, all reads are made from, and all writes are made to this session, allowing compromise to appear to take place, while allowing the graceful shutdown and cleansing of the browser. It provides an interesting venue for ad-hoc forensics and I’ve yet to see anything slip between that and my file integrity monitor…

Virtualization is another option, but there are known attacks for this now.

Thanks for the great articles!
Mark
Kevin Liston
1 Posts
"They were running an up-to-date patched version of Windows 7 running Internet Explorer and anti-virus. So, they really didn't stand a chance."

Add user education.
Dean

135 Posts
several comments about your post:
+add color to the boxes that do not have none in it, makes it easier to read
+noscript is the name of a firefox plugin, what you mean is 'disable javascript'
+noscript-like plugin + whitelist can remove many web threats (since flash and other plugins are not allowed to run by default)

lastly, the OpenID login option does not seem to work on this website..
Dean
1 Posts
I use a combo of the above listed things, (AV, Astaro UTM, host IPS/IDS, DropMyRights for IE and Firefox when logged in as admin but mostly I am running with a non admin account) I use Ccleaner but Sandboxie makes it only find non web stuff. I also block ALL IP's that are not in the ARIN block. While many attacks come from there, many do not. That helps to block more attacks too. I also use NoScript and SandboxIE. While Sandboxie will not stop anything, it does delete it when you close the browser - if you set it up correctly. NoScript stops most of these downloads simply by blocking the scripts from running in the first place. Of course if you have a site white listed and that site gets hacked then the code will run, but that is where you hope Sandboxie will contain and remove (on close) the malware if it was not detected by your other security tools. I always close Firefox and then open a new clean sandbox when I go to do anything sensitive. (After the old Sandbox shows it is empty.)

While not fool proof, I think I am fairly well protected. 3 AV's in total 1 Desktop and 2 in Astaro), 2 IPS/IDS, Proxy, Patched systems (Secunia PSI)non admin accounts, NoScript and Sandboxie and a ton of blocked IP's.

I run Linux on some boxes, and do not use any local AV - just Astaro's 2 proxy AV's.

So far, no infections (That I know of.) have gotten to my machine. I do a boot to an Avira rescue CD once in a while and do a full scan that way too. I also use UBCD and scan with a few good malware tools. I always come out clean.

If I missed anything, let me know!
Tri0x

17 Posts
Can you clarify how your parent's system was compromised?

Doesn't drive-by-downloads usually require minimal user interaction and the malicious code is executed with the privilege of the browser. With IE running in protected mode in W7 wouldn't the process have low integrity level and users will have to click through at least one UAC prompt for any malware to be installed in a system?

Also with AV that scans HTTP traffic "off the wire" before it gets to the browser can they not potentially block exploit codes targeting any internet facing apps (Flash Java, PDF, etc).
Tri0x
1 Posts
@DCCV: I didn't do a full forensic workup on my parent's machine. I only got the details of what a friend pulled off of the box. Hence the three scenarios.

Kevin Liston

292 Posts
ISC Handler
Thanks Kevin, nice write-up! Two additions that may help:

IE8 users can block flash on all sites except those in a white-list, as http://www.winhelponline.com/blog/disable-flash-all-but-whitelist-sites-ie8/ nicely describes.

Configuring the web browser in such a way that PDF pops up a save/open with dialog box may also help to prevent drive-by exploits (in Firefox: Tools menu, Options..., Applications tab: choose either "Save file" or "Always ask" where possible).
Erik van Straten

122 Posts
Hi all, I may well be missing something here but all of our clients block any kind of executable from being downloaded, or coming in via email especially those in a high risk environment. Patches and update sites are whitelisted but restricted to set servers allowed only. As suggested above we also deploy software restriction policies for exe files that could be introduced internally. Those that have the funds use advanced content checkers to evaluate what any javascript is doing and also to scan SSL content. I have been witness to a successful compromise being delivered via SSL as it effectively bypassed every checking policy in place! On the No Script front, not sure if anybody has any more information but the people that develop it were designing a central admin utility to make it far easier for organisations to deploy it? I know for me I'd be interested in that for sure. Does anybody use gpdf addon for opening PDF's? I've been using that with some success for a while.
Anonymous
I'm not sure you're giving enough credit to current AV products here. Latest gen AV products often block known/suspected browser exploits and known bad URLs. Also, maybe this qualifies as "web filters," but what about tools like WOT and SiteAdvisor?
Anonymous

Sign Up for Free or Log In to start participating in the conversation!