BLADE Cuts Out ‘Drive-bys’

Thursday, October 7, 2010 @ 06:10 PM gHale

Insecure Web browsers and the growing number of complex applets and browser plug-in applications are allowing malicious software to spread faster than ever on the Internet.
Some websites end up installing spyware or other malicious code on computers without the user’s knowledge or consent.
These “drive-by downloads” signal a shift away from using spam and malicious e-mail attachments to infect computers. Just around 560,000 websites, and 5.5 million Web pages on those sites, suffered from malware infections during the fourth quarter of 2009.
There is a new tool out there that can eliminate those drive-by download threats. BLADE, which stands for Block All Drive-By Download Exploits, is browser-independent and designed to eliminate all drive-by malware installation threats, said researchers from the Georgia Institute of Technology and California-based SRI International.
“By simply visiting a website, malware can be silently installed on a computer to steal a user’s identity and other personal information, launch denial-of-service attacks, or participate in botnet activity,” said Wenke Lee, a professor in the School of Computer Science in Georgia Tech’s College of Computing. “BLADE is an effective countermeasure against all forms of drive-by download malware installs because it is vulnerability and exploit agnostic.”
The researchers evaluated the tool on multiple versions and configurations of Internet Explorer and Firefox. BLADE successfully blocked all drive-by malware installation attempts from the more than 1,900 malicious websites tested. The software produced no false positives and required minimal resources from the computer. Major antivirus software programs caught less than 30 percent of the more than 7,000 drive-by download attempts from the same websites.
“BLADE monitors and analyzes everything that is downloaded to a user’s hard drive to cross-check whether the user authorized the computer to open, run or store the file on the hard drive. If the answer is no to these questions, BLADE stops the program from installing or running and removes it from the hard drive,” said Georgia Tech graduate student and team member Long Lu.
Because drive-by downloads bypass the prompts users typically receive when a browser is downloading an unsupported file type, BLADE tracks how users interact with their browsers to distinguish downloads that received user authorization from those that do not. To do this, the tool captures on-screen consent-to-download dialog boxes and tracks the user’s physical interactions with these windows. In addition, all downloads end up saved in a secure zone on a user’s hard drive so BLADE can assess the content and prevent any malicious software from executing.
“Other research groups have tried to stop drive-by downloads, but they typically build a system that defends against a subset of the threats,” Lee said. “We identified the one point that all drive-by downloads have to pass through downloading and executing a file on the computer and we decided to use that as our chokepoint to prevent the installs.”
BLADE testing showed the applications most frequently targeted by drive-by download exploits included Adobe Reader, Sun Java and Adobe Flash with Adobe Reader attracting almost three times as many attempts as the other programs. Computers using Microsoft’s Internet Explorer 6 felt the affects of more drive-by-downloads than those using versions 7 or 8, while Firefox 3 had a lower browser infection rate than all versions of Internet Explorer. Among the more than 1,900 active malicious websites tested, the Ukraine, United Kingdom and United States were the top three countries serving active drive-by download exploits.
The user can easily white-list legitimate web addresses allowed to download content to a user’s computer without explicit permission, such as a browser or plug-in auto-updates. So, that functionality will not feel the affects of BLADE.
The researchers have also developed countermeasures so malware publishers cannot circumvent BLADE by installing the malware outside the secure zone or executing on it while it is under quarantine.
While BLADE is highly successful in thwarting drive-by download attempts, the development team admits that BLADE will not prevent social engineering attacks. Internet users are still the weakest link in the security chain, they said.
“BLADE requires a user’s browser to be configured to require explicit consent before executable files are downloaded, so if this option is disabled by the user, then BLADE will not be able to protect that user’s Web surfing activities,” Lee said.

One Response to “BLADE Cuts Out ‘Drive-bys’”

  1. […] BLADE Cuts Out ‘Drive-bys’ | […]

Leave a Reply

You must be logged in to post a comment.