In part one of this two-part series, I focused on how drive-by download attacks work. These attacks can be complicated because they can use multiple levels of redirection enabling components of an attack to be hosted on compromised systems in different parts of the world. Despite the relative sophistication of these attacks, there are many things you can do to protect the systems you manage from being compromised by this type of attack. In this article I share some of the things you can do to protect yourself from drive-by download attacks.

Since attackers are targeting vulnerabilities in different operating systems, Web browsers, and add-ons from different software vendors, if your platform of choice is used to send/receive email or to send/receive instant messages or surf the Internet, it is important to take precautions to protect yourself. To protect yourself against drive-by download attacks you can take several precautions including:

• Keep all software updated: keep all of the software installed on your systems up to date with the latest service packs and security updates. This continues to be the most effective practice to protect systems from exploitation. This includes the operating system(s), Web browsers, productivity suites, all applications, and software that might have been pre-installed by manufacturers. All software installed on systems must be kept up to date, whether it is used or not.
• Minimize attack surface: uninstall software and add-ons that are not used and/or not necessary. This will reduce the attack surface and simplify the amount of software you need to keep up to date on your systems. Disable unneeded software that can’t be uninstalled.
• Newer software is better: the data suggests attackers are more successful when targeting older platforms, Web browsers and document parsers. Where possible use the most recent versions of operating systems, browsers, document parsers, etc. For example, the graph below illustrates malware infection rates for supported versions of Windows; 10.9 Windows XP Service Pack 3 systems were found to be infected for every 1,000 scanned with the Microsoft Malicious Software Removal Tool, compared to 1.8 Windows 7 Service Pack 1 systems (32 bit).

Figure: Infection rate, Computers Cleaned per Mille (CCM) by operating system and service pack in the second quarter of 2011

• Use caution surfing: be selective about what Web sites you decide to connect to, and restrict the sites that corporate assets can connect to. Avoid surfing the Internet while logged onto systems as an Administrator – use accounts that have limited privileges like a standard user account. If you have servers in your environment, avoid surfing the Internet using these systems. This will help protect the directories and data that servers are typically used to store and process.
• Careful who you talk to online: be selective about the emails you open, the instant messages you interact with and the URLs you click on.
• Use anti-malware software: run anti-malware software from a trusted vendor and keep it up to date.
• Use web browser and search protections: leverage the protection technologies that are available in modern Web browsers and search engines. For example, the SmartScreen Filter built into Internet Explorer helps protect against sites known to distribute malware by blocking navigation to malicious sites or downloads. Anti-malware protection helps prevent the download of harmful software. Internet Explorer 8 added per-site ActiveX controls, which allowed users to restrict an ActiveX plug-in to one particular domain. Internet Explorer 9 introduces ActiveX Filtering, which provides users with more control over which sites can use ActiveX controls; when ActiveX Filtering is enabled, only sites that are trusted by users can run ActiveX controls. This feature reduces the attack surface by restricting the ability to run ActiveX components to trusted sites. Users can allow specific sites to run ActiveX controls through an icon in the address bar. IT administrators can also enable ActiveX Filtering via Group Policy to prevent users from downloading ActiveX controls from the Internet Zone.

Figure on left: SmartScreen Filter in Internet Explorer 8 and 9 blocks reported phishing and malware distribution sites to protect the user; figure on right: the SmartScreen Filter in Internet Explorer 8 displays a warning when a user attempts to download an unsafe file; figure below: Explorer 9 displays a warning when a user attempts to download an unsafe file

As Bing indexes the Web, pages are assessed for malicious elements or malicious behavior. Because the owners of compromised sites are usually victims themselves, the sites are not removed from the Bing index. Instead, clicking the link in the list of search results displays a prominent warning, saying that the page may contain malicious software. Bing detects a large number of drive-by download pages each month, with several hundred thousand sites hosting active drive-by pages being tracked at any given time. More details are available in part one of this series and/or in the Microsoft Security Intelligence Report.

Figure: A drive-by download warning from Bing

Many vendors in the industry are doing work to help protect users from these types of attacks. For example, a key observation in a study on security mitigation adoption that Trustworthy Computing published earlier this year is that all of the major web browser clients (such as Internet Explorer, Firefox, Safari, etc.) that were surveyed fully enable support for Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP); these mitigations make it harder for attackers to exploit vulnerabilities in Web browsers. That’s the good news. Unfortunately, 70% of the surveyed browser plug-ins did not have ASLR enabled, which means that although ASLR should be effective in default browser installations, the presence of browser plug-ins is likely to weaken ASLR.

Additional guidance for developers and IT professionals:

• Vendors should build their software with exploit mitigation technologies such as DEP, ASLR, SEHOP, and /GS enabled by default. Detailed instructions on how this can be accomplished are available at: http://msdn.microsoft.com/en-us/library/bb430720.aspx.
• Verify that your software has been built with DEP, ASLR, SEHOP, and /GS enabled by taking advantage of the free BinScope tool developed by Microsoft, which is available at: www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=90e6181c-5905-4799-826a-772eafd4440a.
• Use another free tool called the Enhanced Mitigation Experience Toolkit (EMET) to enable exploit mitigation technologies for critical applications that may be at risk of being attacked. EMET can be downloaded from: http://go.microsoft.com/fwlink/?LinkID=200220&clcid=0x409.
• To learn more about these mitigation technologies, a whitepaper is available: Mitigating Software Vulnerabilities.

There is no indication that attackers are going to stop using drive-by download attacks anytime soon. As long as they continue to get a return on their investment they will continue to use this tactic. But developers, system administrators, and Internet users all have things they can do to help protect systems from compromise. I hope the information that I have provided in this two-part series will help people understand the scope of this problem and some of the effective tactics they can take to protect themselves.

Tim Rains
Director
Trustworthy Computing