Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
In part one of this two-part series, I focused on how drive-by download attacks work. These attacks can be complicated because they can use multiple levels of redirection enabling components of an attack to be hosted on compromised systems in different parts of the world. Despite the relative sophistication of these attacks, there are many things you can do to protect the systems you manage from being compromised by this type of attack. In this article I share some of the things you can do to protect yourself from drive-by download attacks.
Since attackers are targeting vulnerabilities in different operating systems, Web browsers, and add-ons from different software vendors, if your platform of choice is used to send/receive email or to send/receive instant messages or surf the Internet, it is important to take precautions to protect yourself. To protect yourself against drive-by download attacks you can take several precautions including:
Figure: Infection rate, Computers Cleaned per Mille (CCM) by operating system and service pack in the second quarter of 2011
Figure on left: SmartScreen Filter in Internet Explorer 8 and 9 blocks reported phishing and malware distribution sites to protect the user; figure on right: the SmartScreen Filter in Internet Explorer 8 displays a warning when a user attempts to download an unsafe file; figure below: Explorer 9 displays a warning when a user attempts to download an unsafe file
As Bing indexes the Web, pages are assessed for malicious elements or malicious behavior. Because the owners of compromised sites are usually victims themselves, the sites are not removed from the Bing index. Instead, clicking the link in the list of search results displays a prominent warning, saying that the page may contain malicious software. Bing detects a large number of drive-by download pages each month, with several hundred thousand sites hosting active drive-by pages being tracked at any given time. More details are available in part one of this series and/or in the Microsoft Security Intelligence Report.
Figure: A drive-by download warning from Bing
Many vendors in the industry are doing work to help protect users from these types of attacks. For example, a key observation in a study on security mitigation adoption that Trustworthy Computing published earlier this year is that all of the major web browser clients (such as Internet Explorer, Firefox, Safari, etc.) that were surveyed fully enable support for Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP); these mitigations make it harder for attackers to exploit vulnerabilities in Web browsers. That’s the good news. Unfortunately, 70% of the surveyed browser plug-ins did not have ASLR enabled, which means that although ASLR should be effective in default browser installations, the presence of browser plug-ins is likely to weaken ASLR.
Additional guidance for developers and IT professionals:
There is no indication that attackers are going to stop using drive-by download attacks anytime soon. As long as they continue to get a return on their investment they will continue to use this tactic. But developers, system administrators, and Internet users all have things they can do to help protect systems from compromise. I hope the information that I have provided in this two-part series will help people understand the scope of this problem and some of the effective tactics they can take to protect themselves.
Tim Rains Director Trustworthy Computing