Forgot your password?
typodupeerror
Security The Military IT

New Tool Blocks Downloads From Malicious Sites 192

Posted by timothy
from the we're-from-the-government-and-we're-here-to-help dept.
Hugh Pickens writes "Science Daily Headlines reports that a new tool has been developed (funded by the National Science Foundation, US Army Research Office and US Office of Naval Research) to prevent 'drive-by downloads' whereby simply visiting a website, malware can be silently installed on a computer to steal a user's identity and other personal information, launch denial-of-service attacks, or participate in botnet activity. The software called Blade — short for Block All Drive-By Download Exploits — is browser-independent and designed to eliminate all drive-by malware installation threats by tracking how users interact with their browsers to distinguish downloads that received user authorization from those that do not. 'BLADE monitors and analyzes everything that is downloaded to a user's hard drive to cross-check whether the user authorized the computer to open, run or store the file on the hard drive. If the answer is no to these questions, BLADE stops the program from installing or running and removes it from the hard drive,' says Wenke Lee, a professor in the School of Computer Science in Georgia Tech's College of Computing. Blade's testbed automatically harvests malware URLs from multiple whitehat sources on a daily basis and has an interesting display of the infection rate of different browsers, the applications targeted by drive-by exploits, and the anti-virus detect and miss rates of drive-by binaries."
This discussion has been archived. No new comments can be posted.

New Tool Blocks Downloads From Malicious Sites

Comments Filter:
  • Not new, vaporware (Score:5, Informative)

    by Rurik (113882) on Sunday October 10, 2010 @03:09PM (#33853662)

    Great idea, and I can't wait for it to surface. But, don't get your hopes up. Brian Krebs reported on this back in February (http://krebsonsecurity.com/2010/02/blade-hacking-away-at-drive-by-downloads/) and it's been vaporware the entire time. Demo videos look great, but there has been absolutely no public movement on the project since this spring.

    When it gets released, THEN post something to /.

    • by Moryath (553296) on Sunday October 10, 2010 @03:34PM (#33853848)

      I don't know about progress or eventual usability, but they definitely come up pretty high on the "tortured acronym" list...

      • by znerk (1162519)

        ...they definitely come up pretty high on the "tortured acronym" list...

        Try removing "Drive-By" from the name...
        BLock All Download Exploits
        I'm wondering if the "drive-by" portion is added by the journalists to play at their readers' level, or if it was an assumption of the potential customers' reading comprehension level by some dweeb in marketing.

        • "Blade — short for Block All Drive-By Download Exploits"

          Typical government acronyms. A lot of government agencies and defense contractors feel the need to give their product some stupid ass name like this to imply that it's a powerful program. I mean, it's called BLADE! It must be good. This is usually more important that actually describing what the device does. Thus, we end up with a lot of bullshit devices like "Kill, blade, death" and so on that all sound like doomsday devices but are real
          • It's even worse for studies in medicine, where I think they come up with a word and then just put out a phrase were about half the word are dropped in order to fit the backronym. For example: ALLHAT - The Antihypertensive and Lipid-Lowering Treatment to Prevent Heart Attack Trial.

            • by Moryath (553296)

              At least they're not trying to be ALL THAT... though with your acronym they easily could have :P

          • by mpeskett (1221084)
            See also: the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act
    • Agreed. I clicked the links, looking for a "Download now" link. No release version. No beta version. No alpha version. Nothing. Heck, give me a PREalpha, alright? I'll make a windows VM, and browse all the worst sites I've ever heard of, and search out more, to see what happens. I'll even use Ye Olde Internet Exploder version 6 to test it with. Alas - my competence with vaporware is sadly lacking.
    • But if it was published then, we would be crying about Slashvertisment.

  • by SpacePunk (17960) on Sunday October 10, 2010 @03:19PM (#33853722) Homepage

    Just like flying cars, warp travel, or a cure for cancer.

    WTF folks. Why link it if it's not available? Sure, the "golly gee wiz" effect might get a whole five minutes if someone reads very slowly, but if it's not available then linking to it doesn't do anybody any good. By the time it does become available it will be long forgotten to all except those that make out a 3x5 card, and tacks it up on the wall.

  • Prior art (Score:3, Interesting)

    by srussia (884021) on Sunday October 10, 2010 @03:21PM (#33853742)
    From TFS: "BLADE monitors and analyzes everything that is downloaded to a user's hard drive to cross-check whether the user authorized the computer to open, run or store the file on the hard drive. If the answer is no to these questions, BLADE stops the program from installing or running and removes it from the hard drive.

    Sounds like Mac OS X.
    • Re: (Score:3, Interesting)

      by Kemanorel (127835)

      I was thinking more along the lines of:

      Well, it's called Tron. It's a security program itself, actually. It monitors all contacts between our system and other systems. It finds anything going on that's not scheduled, it shuts it down. I sent you a memo on it.

      Life mirrors art? Then again, maybe I just have Tron on my brain after seeing an extended 3-D preview of Tron: Legacy at Disney's California Adventure on Friday. If anyone reading this can, I highly recommend visiting DCA to see the ElecTRONica section they have going on (Friday through Sunday nights). Flynn's Arcade is pretty well done.

      No, I am in no way affiliated with Disney either. Just a fan of Tron.

      • That was a really great suit, by the way.

        Next time, though, lose the glasses and tailor the crotch to fit a man, not a woman.
    • "...to cross-check whether the user authorized the computer to open, run or store the file on the hard drive."

      I run Windows in admin mode, which of course permits these activities. Thus it seems BLADE would do nothing for me and my ilk.
    • Sounds like Mac OS X.

      Except that Mac OS X isn't funded by the US military. I'm not an Apple fan, but their motives are all up front: they want your money.

      • by Macrat (638047)

        Except that Mac OS X isn't funded by the US military. I'm not an Apple fan, but their motives are all up front: they want your money.

        You think the Military works for free? They want your money too.

    • It also sounds like many of the firewall solutions we have today. We have firewalls that already block malware infested sites, through either the host file or through their own mechanism, and that will intercept/sandbox/delete anything that gets downloaded/launched without the users explicit permission. And we have firewalls/anti-virus solutions that automatically update themselves with the latest lists of blocked ip addresses, the latest lists of virus/malware signature definitions, and several that will e

      • by mlts (1038732) *

        We have those solutions (BlueCoat for one). However, most of the infections don't come from sites with good network security admins that have the budget for those appliances. Some malware gets past the firewalls (likely someone deciding they can tether their corporate PC to their cellphone and download pr0n that way) hits a company with competent network admins, the IDS blows, then the offending machines will be booted off the switch and shunted to a remediation server so fast, the bits will fly.

        The infec

    • sounds like what every anti-virus should be doing.

      • by mlts (1038732) *

        I'd rather have it part of the OS. Almost all the functionality of antivirus programs should be at a lower level, although having signature scanning and the host based IDS available from different vendors will make it harder for a blackhat to make a "one size compromises all" piece of malware.

        Ideally, it would be nice to have some features as part of the OS, including (but not limited to):

        IP blacklisting. Of course, stuff can be whitelisted, but having the ability for a machine to grab a database of IPs t

    • No, that doesn't sound like Mac OSX, which is somewhat more open than Microsoft Windows (the OS fundamentals are OS). Are you thinking of iOS?

  • But the data available to the browser and the programmability of the web browser must be inconsistent - there must be something that a webpage can do that is impossible to detect whether or not a human or a computer did it.

    Take clickjacking for example, you trick people into clicking somewhere.

    Although I love the idea. This could be extended to be social too: how many people ACTUALLY initiated this installation compared to it happening by itself? If nobody initiated it themselves, you can safely brand it ma

  • by Anonymous Coward

    The day the army/navy/government are responsible for my 'defence' online is coming. It's a red-pill blue-pill thing and I think I will prefer to keep the status-quo, chancing it with the malware from the safety of my linux PC. Running to the military to 'protect me' is simply naff, particularly online.

    • by jonbryce (703250)

      Law enforcement does have a role to play, though obviously it is not the whole solution. These attacks are no longer carried out by script kiddies for the hell of it. They are well organised criminal gangs who do it to make money. The criminal gangs who ram-raid banks and shops selling high value items are something the police etc deal with, even though the banks and shops concerned take security measures to try and make life more difficult for them. These people, or at least some of them are raiding ba

  • What the fuck (Score:5, Insightful)

    by Anonymous Coward on Sunday October 10, 2010 @03:31PM (#33853818)

    You need a special tool to not automatically download and run the first program your web browser sees?

    Downloads shouldn't start automatically. Downloads shouldn't run automatically.

    Yet even sourceforge doesn't provide copy and paste friendly download links anymore. It's got to automatically start your download for you because you're just too fucking lazy to make one more click.

    BADBDE. Fail.

    • Re: (Score:3, Interesting)

      by Yvan256 (722131)

      I'm guessing they want to prevent other websites from linking to the downloads directly and have them link to the project webpage instead.

    • Re:What the fuck (Score:4, Insightful)

      by MobileTatsu-NJG (946591) on Sunday October 10, 2010 @04:04PM (#33854068)

      Yet even sourceforge doesn't provide copy and paste friendly download links anymore. It's got to automatically start your download for you because you're just too fucking lazy to make one more click.

      Actually that's an extra stop to serve you ads.

    • Re:What the fuck (Score:4, Insightful)

      by Arker (91948) on Sunday October 10, 2010 @04:24PM (#33854192) Homepage Journal
      Yeah, this thing (even if it werent vapour-ware) is papering over the problem many layers up, instead of fixing it in the first place. If a browser permits "drive by" downloads like this, it's got a bug, and it should be fixed there. (And yes, firefox is incredibly buggy in this regard, but at least it's easily patched with extensions.)
      • 3rd Party (Score:3, Insightful)

        by DrYak (748999)

        If a browser permits "drive by" downloads like this, it's got a bug, and it should be fixed there.

        But it can't be fixed there.
        If you RTFA, you'll notice in their stats that the largest proportion of all threats exploit bugs in Adobe Acrobat and Flash plugins.
        No amount of coding in Firefox can fix bugs in Adobe software, short of reverse engineering the plugin and applying binary patches on load to fix it (which should be considered a violation of the plugins license, in the jurisdiction where Firefox' development is happening)

        The only real long-term solution would be to completely drop the proprietary p

      • Re: (Score:3, Insightful)

        by Lord Ender (156273)

        Modern security relies on the wise supposition that there are and will always be flaws, therefore multiple layers of protection are employed to minimize the possibility of those flaws affecting you. This is called "defense in depth."

    • Re:What the fuck (Score:5, Informative)

      by sela (32566) on Sunday October 10, 2010 @06:18PM (#33854814) Homepage

      You are right, download shouldn't run automatically. And actually, no browser intentionally allows downloading programs automatically.

      Unfortunately, internet browsers are a quite complex piece of software which connects to a lot of other complex libraries, and each of these software elements may contain security vulnerabilities, used by exploits that download and run malicious code. The idea is this: some hacker find out about a security bug in some windows library (which could be a result of things like a buffer overflow bug), such as the library that displays some file format (WMF, AVI etc.), ActiveX, JavaScript etc., and then embed in a website some file that uses this exploit ( windows metafile, embedded video etc.). Such vulnerabilities are being discovered all the time, and Microsoft keeps releasing new security patches that fix these bugs, but from the moment the bug is discovered to the moment you download a security update there is enough time where your computer is exposed to such exploits.

      I don't think it is realistic to expect software to be free of such vulnerabilities. Every OS got them. Fortunately for people using other OSes such as Linux, it is not targeted as much as Windows by hackers because it is not as common as a desktop OS, and the fact that most users do not run as admins also helps to reduce the potential damage of a malware. I believe there are other ways to reduce exposure to such exploits: for example, use data execution prevention and use a sandbox to isolate the browser and all the libraries it uses from the rest of the system. However, you need to design the system from ground up to be able to implement these measures properly.

      • by mlts (1038732) *

        Even if a browser is free of holes, add-ons are always an issue.

        Ideally, there needs to be protection from the OS on up. This way, the OS puts the browser in a jail, VM, or sandbox, separating browser instances (windows, tabs) from each other. Since the instances are in different contexts, a browser window to a bank is not affected (or data changed in transit) by a browser window to a blackhat site that has executable code to execute in the browser's context. Techniques like copy on write from the browse

    • by REggert (823158)

      Drive-by downloads are not typically downloaded by your browser (except in the case of exploits targeting vulnerabilities in the browser itself). They are usually downloaded by browser plugins (such as Flash, Adobe Reader, various ActiveX controls, etc.) that contain vulnerabilities that are exploited (either via JavaScript or by specially crafted media files), and the payload of the exploit (the "shellcode") downloads and executes some Trojan EXE. It has absolutely nothing to do with downloads that are i

  • Easiest option: (Score:3, Insightful)

    by twidarkling (1537077) on Sunday October 10, 2010 @03:33PM (#33853840)

    How about instead of having some program trying to figure out who's installing a program, how about no program can install another program? Download only, and it sits harmlessly until the user specifically goes, finds it, and runs it. In fact, have at the OS level, a captcha that needs to be filled in before a program installs. How's that? Think that'll stop anything? Probably work better than BLADE any way.

    • Re: (Score:3, Informative)

      by eulernet (1132389)

      Try Comodo Personal Firewall, it already warns when a new program tries to install on your computer, and it's free.

    • by tomhath (637240)

      how about no program can install another program? Download only, and it sits harmlessly until the user specifically goes, finds it, and runs it.

      Because "user...runs it" really means "user runs a program that runs it"; i.e. user runs a program that could have an exploit which fills in the captcha and installs the malware.

      I was a bit surprised that the Applications Targeted by Drive-By Exploits graph indicates Java about 25% of the time, roughly half the rate of Internet Explorer. And I dislike Adobe software even more after looking at that graph.

    • Re:Easiest option: (Score:5, Insightful)

      by znerk (1162519) on Sunday October 10, 2010 @07:28PM (#33855176)

      How about instead of having some program trying to figure out who's installing a program, how about no program can install another program? Download only, and it sits harmlessly until the user specifically goes, finds it, and runs it. In fact, have at the OS level, a captcha that needs to be filled in before a program installs. How's that? Think that'll stop anything? Probably work better than BLADE any way.

      If I understand you correctly, you're talking about removing the ability to shell out another executable from within an executable. After all, what, exactly, is the difference between an installation app and a regular app?
      They both have the ability to modify the Windows registry, output arbitrary data to arbitrary locations, etc - how do you think MS Paint saves that picture file your 3-year-old made by facerolling the keyboard and beating the family dog with the mouse?

      "Fine," you state, "just disable the ability for an executable to start another executable, then."

      Unfortunately, killing the methods of shelling out to an app would destroy most operating systems' functionality - after all, the kernel is an executable that runs other executables (such as the graphical shell you think is your OS), directly or indirectly.

      "Sure," you say, "we can just make it so the kernel can do it, but nothing else."

      Ok, now what do you do when *you* want to launch an executable, say by clicking a representation of its logical address located in that previously-mentioned graphical shell (ie, your desktop)?

      "Well, we can just let the kernel and the rest of the OS do its thing, then," you respond.

      Where do you draw the line?
      Photoshop executes a dozen processes when it starts up.
      Hitting a flash-enabled website in your browser can launch dozens of processes.
      Javascript is "executable code".
      A slightly looser definition of "executable code" could include HTML.

      In short, this is not the correct direction to be looking for an answer in; your post getting a "+5, Insightful" amazes and bewilders me.

      • This is exactly the problem.
        • This is exactly the problem.

          Mod parent up. He is correct to point out that the parent should be modded up, because it is indeed the problem.

          Seriously, either mod it up yourself or move along. Posts saying "mod up" are pointless.

          Queue someone not getting the point and calling me a hypocrite.

      • by Shrike82 (1471633)

        your post getting a "+5, Insightful" amazes and bewilders me.

        You've been here longer than me - these things should no longer surprise you.

    • I'd go further and completely throw out the idea that an EXE inherits the permissions of the user running it. Each EXE should have its own set of permissions as if it were a user itself. Think how facebook or smartphone apps when initiated request permission to "look at your personal data" etc. Like that but simplified:

      "Modify system files"

      "Modify system configuration"

      "Read personal files"

      "Modify personal files"

      "Talk to the LAN"

      "Talk to the internet"

      I'm fairly certain this can be gotten down to just a few o

  • by Yvan256 (722131) on Sunday October 10, 2010 @03:35PM (#33853852) Homepage Journal

    Are there any other OS vulnerable to drive-by downloads? Funny how they rarely mention which OS are affected.

    I'm guessing Mac OS X and Linux are both better protected since the OS can't initiate a program installation and then run it without the user permission.

    • by Renraku (518261)

      I would have figured Macs to be a hotbed of virus activity, but there just aren't that many viruses that target Macs, because PCs are just too big of a market share. My reasoning is because Macs 'just work' which means that it should be a lot easier for that virus to 'just wok' with little-to-no user interaction. Of course, there are/were plenty of ways to install something without the user knowing on Windows.

      It used to be so bad that simply connecting a bare vanilla Windows XP machine to the network and

      • Re: (Score:3, Informative)

        by jonbryce (703250)

        Macs "just work" once you tell sudo your password. If I see the sudo box when I'm not expecting it, hitting the cancel button is much easier than typing in my 15 character password.

      • by mlts (1038732) *

        I'd give the credit to OS X for helping here. OS 9 and previous had more than their share of viruses for them.

        OS X is not significantly more secure [1] than other commercial UNIXes (like AIX, Solaris, and Linux), but that the UNIX architecture is a great improvement over the days of having your application calling WaitNextEvent() unless you wanted to hang the box.

        [1]: It does have some good security features built in. The SELinux-like mandatory access control functionality is a definite step in the right

  • But unless it's included in a Windows update it's useless. This is a band aid for the real problem: users have a plug and play mentality and don't give a shit about computer security untill they are infected. The only way you can win is to educate the younger generation and hope they don't make the same mistakes their parents have made.
  • ...that puts everything I access on the WWW under scrutiny.
    Why should anybody?
  • Backronym (Score:3, Funny)

    by Asgerix (1035824) on Sunday October 10, 2010 @04:32PM (#33854230) Homepage
    The first version of their tool was called "BLock All Drive-by Download Exploit scRipts" - or BLADDER. For some reason it was not very popular.
  • What is wrong with Noscript?
  • by ad454 (325846) on Sunday October 10, 2010 @06:44PM (#33854958)
    I am not much of a WIndows user, but for all of my friends, family, and colleagues that do run Windows, I install Sandboxie on their machines. SandBoxie allows their E-mail clients and Web Browsers to run within Virtual Machines that prevents direct disk access:

    http://www.sandboxie.com/ [sandboxie.com]

    In addition, I also recommend installing FireFox with NoScript, AdBlock Plus, and Certificate Patrol addons on all platforms (Windows, MacOSX, Linux, *BSD, etc.) in order to minimize attack and spoofing vectors, which are typically JavaScript & Flash based.

    Using SandBoxie, Firebox, and the above mentioned addons seems to be a just as good, if not a better solution, that the tool mentioned in the article. And they are all available now for free!
  • ROFL (Score:4, Insightful)

    by znerk (1162519) on Sunday October 10, 2010 @06:57PM (#33855028)

    Clicked the link to "interesting display of the infection rate of different browsers", and got

    Hi. Javascript is turned off in your web browser. Good for you!
    Ironically, to view our analysis results you do need to enable Javascript.
    We promise not to bite.

    Aside from the question of why I would need to enable Javascript to view their results, I found it highly amusing... and disturbing.
    Kinda gave me the feeling of
    "We're not doing anything evil, we promise! Oh, and we need you to let us inside your system's security before we'll give you any information".

    Not exactly inspiring any confidence, here.

    For instance, why isn't your page dynamically generated server-side, if you're trying to promote safe browsing practices? Oh, right, because you're not; you want me to buy your software...

    I think I'll stick with NoScript and AdBlockPlus, thanks - they don't cost anything.

    • by znerk (1162519)

      Also, I find it interesting that Chrome isn't listed in their statistics (after I hit the link with a snapshotted VM's browser) - despite that I have seen systems with apparent drive-by infections with no IE link on the desktop, quicklaunch, or start menu, no firefox installed, and a shortcut to chrome on the desktop labelled "Internet". Maybe the user was lying as to the source of infection.

      • no Opera or any browsers besides IE6, 7 & 8 and FF3. If that's all their browser stats are based on then I'd say all of their reports stats are questionable.
  • The reason this application has not been circumvented yet is because there has been no public release as of yet. Once the "bad guys" have the application to test against, they will find a way around it.

Never trust an operating system.

Working...