Tuesday, February 16, 2010

Drive-by Downloads: What They Are and How to Defend Against Them

Microsoft's Mark H. Walker wrote a classic article that still holds true today.  With the amount of trojans and malware that I keep seeing on customer computers, I think right now is a good time to share most of Walker's article here about the dangers of drive-by downloads.  Although the article has been around for quite a while and refers mostly to features found in IE 7, it is still pertinent today: 

Drive-by downloading is a catch-all name for software downloaded on your computer without your knowledge or intervention. Drive-by downloading is different than phishing, which misleads users by using authentic-appearing sites that deceive users into entering sensitive information, and different than pop-ups, which fool users into agreeing to download software. Drive-by downloads sneak onto computers without the user’s knowledge or permission.

Some of the most common drive-by download carriers are songs from free music share sites, free screensavers, etc. Many of these install spyware that monitors your surfing habits, and then displays pop-ups that match your habits. For example, if you invest a good chunk of your Internet time cruising sport sites, the spyware detects this, and it could then splash sporting apparel ads on your monitor. Drive-by downloads can also attack your computer through e-mail spam (as shown below). For this article, we will concentrate on the browsing threat and what Internet Explorer 7 does to help combat it.

What should this be? It’s genuine spam. I took the screen from my own Outlook Junk Mail folder.

What should this be?  It’s genuine spam. I took the screen from my own Outlook Junk Mail folder.

Stopping the Drive-By Threat

In the past, malware could download and install by exploiting URL handling problems within the browser.  Hackers would use an HTML link that referenced a URL containing unusual or excessive characters.  Parsing the link would cause the user’s computer buffer to overflow and execute malicious code. A basic rewrite of the code in Internet Explorer 7 helps prevent this, providing not only greater reliability, but also more flexibility to address unforeseen changes in the Internet.

Also in Internet Explorer 7 is code that requires browser windows, not just the main browser window, to display an address bar.  This helps clamp down on the proliferation of pop-up windows that appear to be from a reputable site, yet lead instead to a less than reputable site. This, coupled with the pop-up blocker, helps put the brakes on this form of the drive-by-download.

Everything is Not What it Seems

For example, say there is a thirteen-year old middle-school student with a passion for music and no money to spend on it.  Hence, she scours the Internet for free music downloads.  A malicious file-sharing site pops up what appears to be a reputable window for a nationally recognizable product, a window that asks for her name and mailing address.  She fills in the window, and two weeks later her family’s mailbox is flooded with junk mail.  This is an example of cross-domain scripting—a malicious site controlling the script from another, usually reputable, domain).
Again, Internet Explorer has taken steps to minimize this form of malicious invasion by recoding Internet Explorer to increase assurance that domains can only control their own sites.  By doing so, the program reduces the misbehaving Web page’s chance of accessing the reputable site.

What You Don’t Know Can Hurt You

Of course the classic type of drive-by-download is the download that enters your computer without deception and without your permission.  Many of these downloads enter as riders on downloaded files, but some enter through malicious Web sites.

The best remedy to files entering the computer through downloaded software may be the Windows Defender anti-spyware program.  The program can return your browser to its default settings—the settings present before malicious drive-by-downloads altered them.  Even better, it can help prevent “piggybacked” spyware from entering your hard drive.
Tip
Tip: Windows Defender can only lessen the chance of malicious software entering your computer while browsing.  It does not prevent entry through your e-mail, although it can scan your hard drive and remove the spyware after entry.

Perhaps the best way to reduce drive-by-download intrusion is with a new option offered in Internet Explorer 7.  The mode is titled Protected Mode.  Simply put, Protected Mode blocks access to your computer.  Specifically, when Protected Mode is enabled, Internet Explorer cannot modify user or system files or settings.

The Best Defense

Although the Protected Mode and Windows Defender, as well as other programs, are excellent tools in the fight to stop drive-by-downloads from infecting computers, sometimes a good offense is the best defense.

Users need to take ownership of their computers and their browsing habits to avoid damaging drive-by-download attacks. Here’s how.

Use Common Sense

Don’t seek or browse disreputable Internet sites or sites that rely heavily on pop-up ads for revenue.  Common sites that fall into this category include free file sharing, bootleg game, bootleg video, and porn sites.  If whatever a site is offering seems too good to be true, then it probably is.
Example of Phising Filter.

Second, it’s a good idea to turn on your phishing filter, as shown above. Doing so might help you to spot misbehaving Internet sites.  If in doubt, have Microsoft check the dubious Web site. You can do this by selecting Tools>Phishing Filter>Check This Website.
Example of Phising Filter Check.

Block Pop-Ups

There is little, if any, use for pop-ups.  So if you don’t need them, why look at them?  Beginning with Windows XP Service Pack 2 and continuing into Internet Explorer 7 and 8, Internet Explorer offers a pop-up blocker.  Because many drive-by-downloads are driven through pop-ups, I suggest that you use Internet Explorer’s pop-up blocker.
To turn on the pop-up blocker click on Tools>Pop-Up Blocker>Turn on Pop-Up Blocker. There is, however, a drawback. The pop-up blocker will also block desirable downloads or legitimate pop-up windows.
Example of Pop-up Blocker.

But hey, Internet Explorer doesn’t keep any secrets from you.  The browser will pop a window (as shown above) notifying you of the blocked pop-up. To display the pop-up or download the file, you need only right-click on the Information Bar and choose Temporarily Allow Pop-Ups.
Tip
Tip: If the pop-up is displayed by a site that you trust, you can choose to always allow pop-ups from the site. In fact, by selecting Tools>Pop-Up Blocker>Pop-Up Blocker Settings, you may alter your pop-up blocker settings in greater detail.

Manage Your Add-ons

Another tool to help you manage, reduce the risk of, or minimize the hazard of drive-by downloads is Internet Explorer's add-on manager.  You can access the manager through the Tools menu. Select Tools>Manage Add-Ons. This displays the Add-On Manager window as shown below.
Managing Your Add-ons.

In this window, you may scroll through all the add-ons that Internet Explorer uses. Furthermore, you can use the drop-down menu at the top of the window, to browse the add-ons by four categories: Add-ons that have been used by Internet Explorer, Add-ons currently loaded in Internet Explorer, Add-ons that load when Internet Explorer Starts, and Downloaded Active X Controls. There are two types of add-ons that should raise a red flag: those that you don’t recognize and those that are not verified. Unrecognized add-ons that are verified by Microsoft are fine, but those that are not verified should be investigated or disabled from within the add-on manager.

Drive-by-downloads are no laughing matter, but with the new security features incorporated in Internet Explorer, and common sense Internet usage, they can be dramatically reduced.

The following are Web sites with additional information on drive-by-downloads and adware:

Internet Explorer Blog
http://blogs.msdn.com/ie/
Internet Explorer Development Center
http://msdn.microsoft.com/ie/default.aspx


1 comment:

  1. It will be really great if you checked this site on mSpy app, you can get more in touch with spyware topic

    ReplyDelete