Tools to prevent drive-by attacks

The Client Approach

After you have secured your own web service against the injection of malware and exploit kits, the next task is to protect your clients on the network. To measure the extent of potential security problems, you first need an inventory of the browser plugins and any other Internet software. Client management systems, such as ACMP (Aagon) OPSI (UIB), Altiris (Symantec), or Empirum (Matrix42), have appropriate inventory modules that help accurately record and evaluate the software used along with software versions. These tools will help you develop and roll out a patch management policy for the affected applications without user intervention.

Another group of browser-checking tools is focused on home users or administrators who only have to manage a few computers. For example, the Anti-Botnet Advisory Center, also an initiative of the Internet industry association, eco, offers a review of the browser and the installed plugin versions. If the browser check finds outdated plugins, you can update by clicking a button. Unfortunately, this solution only really works reliably for popular plugins like Java and Flash. If you use specific plugins, such as the Citrix Receiver, you still need to take care of the update manually.

The same applies to the rather simplistic Check Your Plugins service by Mozilla [19]. The Qualys BrowserCheck [20] (Figure 3) does a better job, offering to install its own plugin optionally for a more intensive investigation. If this plugin is installed, it doesn't just identify most plugins reliably, it also offers advanced scanning methods – at least for Windows. You can check your current browser, as well as other installed browsers, and check the operating system security settings and the status of Microsoft patches. Qualys Business Edition – a version of the browser check for administrators – is also free. After registration [21], you can download an MSI version of the browser check plugin in the Settings section of the dashboard, which can be used to feed the plugin to Windows PCs from a central location. Alternatively, you can use a download URL for the plugin and a Quick Scan URL. The results of the scans are not sent to the user but displayed directly on the administrator's dashboard.

Figure 3: A browser check – by Qualys here – checks for outdated plugins, among other things.

Automated Updates

Antivirus vendor F-Secure takes a different approach with its new software updater. Customers who already use the F-Secure Cloud Solution Protection Service for Businesses (PSB) [22] to manage their corporate systems can now deploy the software updater to manage computers along with the antivirus client from a central location, ensuring that no outdated browsers and plugins are used. The list of supported software [23] is quite impressive – in addition to the usual suspects, such as Java, you will find candidates like Foxit Reader and the VLC media player.

BLADE (Block All Drive-by Download Exploits) is a project in the making that was created with the support of the US National Science Foundation, the U.S. Army Research Office, and the Office of Naval Research (Figure 4). BLADE consists of a series of Windows kernel extensions to prevent hidden binary installations during a drive-by attack.

Figure 4: The new security service BLADE is designed to prevent malware infections.

BLADE is being tested by the initiators with the most common browsers and daily emerging malware links; some zero-day attacks have apparently also been used in the past six months. According to the testers, BLADE has so far blocked 100 percent of the attacks, at least according to the results of evaluation lab, which are published regularly [24]. BLADE is not yet available, but in the next phase, a free version will be available for download.

HTML5 and NoScript

Browser extensions like NoScript or Flashblock can help prevent drive-by attacks. However, these plugins are of no benefit if they are installed in an outdated browser. Additionally, the don't really attempt to find any malicious code but simply disable features such as JavaScript or Flash. Because many sites are practically unusable without JavaScript, these tools are therefore probably more suitable for IT professionals. The upcoming HTML5 standard will certainly contribute to greater safety because plugins such as Flash are no longer required for displaying video, thus reducing the number of products with software vulnerabilities.

Another approach to client protection is not to use locally installed browsers or other Internet software. Instead, the browser is launched in an enclosed environment, like a virtual machine. As an alternative, you can use a Live medium (e.g., a Linux Live DVD or a USB flash drive) and run the browser installed there. One reason not to use Live media, of course, is the overhead of the necessary reboot and the quick obsolescence of browsers on Live CDs. Sirrix [25] offers Browser in the Box, a solution in which the browser is launched in a local VirtualBox VM. The VM is based on a hardened Debian 6 Linux with SELinux and the current Firefox browser. The single-user version is available for download free of charge; the enterprise version is only supplied in combination with a web gateway and a management system.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Kaspersky Analysis: Black Market in Botnets

    Virus analyst Yury Namestnikov investigated the structure, functionality and business model of botnets for antivirus firm Kaspersky Lab with some surprising results.

  • Of Money Mules and Cyber Criminals

    A new article by Roel Schouwenberg, Senior Antivirus Researcher at the Kaspersky Lab, has drawn attention to the increased use of malware in cyber attacks on financial institutions.

  • USENIX Security 2008

    The 17th Security Symposium met in San Jose, California, USA, during the week of July 28, with a refereed paper track and Invited Talks.

  • Security Lessons

    Sometimes, even ING, YouTube, The New York Times, and Google get it wrong.

  • Backdoors

    Backdoors give attackers unrestricted access to a zombie system. If you plan to stop the bad guys from settling in, you’ll be interested in this analysis of the tools they might use for building a private entrance.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More