New Tool Blocks Downloads From Malicious Sites

Hugh Pickens writes "Science Daily Headlines reports that a new tool has been developed (funded by the National Science Foundation, US Army Research Office and US Office of Naval Research) to prevent 'drive-by downloads' whereby simply visiting a website, malware can be silently installed on a computer to steal a user's identity and other personal information, launch denial-of-service attacks, or participate in botnet activity. The software called Blade — short for Block All Drive-By Download Exploits — is browser-independent and designed to eliminate all drive-by malware installation threats by tracking how users interact with their browsers to distinguish downloads that received user authorization from those that do not. 'BLADE monitors and analyzes everything that is downloaded to a user's hard drive to cross-check whether the user authorized the computer to open, run or store the file on the hard drive. If the answer is no to these questions, BLADE stops the program from installing or running and removes it from the hard drive,' says Wenke Lee, a professor in the School of Computer Science in Georgia Tech's College of Computing. Blade's testbed automatically harvests malware URLs from multiple whitehat sources on a daily basis and has an interesting display of the infection rate of different browsers, the applications targeted by drive-by exploits, and the anti-virus detect and miss rates of drive-by binaries."

It's not yet available

[SpacePunk]

Just like flying cars, warp travel, or a cure for cancer.

WTF folks. Why link it if it's not available? Sure, the "golly gee wiz" effect might get a whole five minutes if someone reads very slowly, but if it's not available then linking to it doesn't do anybody any good. By the time it does become available it will be long forgotten to all except those that make out a 3x5 card, and tacks it up on the wall.

Re:Which OS?

[Abstrackt]

Make Microsoft Windows ILLEGAL and we'll have taken care of 99.9% of the bullshit that happens on the internet.

Sorry, but how does that stop people from giving their credit card number to a purple hippopotamus or from buying whatever spam advertises?

It's better the devil you know...

[Anonymous Coward]

The day the army/navy/government are responsible for my 'defence' online is coming. It's a red-pill blue-pill thing and I think I will prefer to keep the status-quo, chancing it with the malware from the safety of my linux PC. Running to the military to 'protect me' is simply naff, particularly online.

What the fuck

[Anonymous Coward]

You need a special tool to not automatically download and run the first program your web browser sees?

Downloads shouldn't start automatically. Downloads shouldn't run automatically.

Yet even sourceforge doesn't provide copy and paste friendly download links anymore. It's got to automatically start your download for you because you're just too fucking lazy to make one more click.

BADBDE. Fail.

Easiest option:

[twidarkling]

How about instead of having some program trying to figure out who's installing a program, how about no program can install another program? Download only, and it sits harmlessly until the user specifically goes, finds it, and runs it. In fact, have at the OS level, a captcha that needs to be filled in before a program installs. How's that? Think that'll stop anything? Probably work better than BLADE any way.

Re:Not new, vaporware

[Moryath]

I don't know about progress or eventual usability, but they definitely come up pretty high on the "tortured acronym" list...

how about just flipping the damn default?

[Anonymous Coward]

Most people's default: "Sure, random untrusted entity, run anything you want on my system!"

Sane people's default: "I'll run it if I have a reason to and it is reasonably known to be safe."

Guess which group seems to be the one having, and causing, all the problems? Guess which group doesn't need "drive by download blockers"?

I swear, the world is positively insane. It hits itself in the thumb with a hammer, gets upset at the pain, and instead of just - you know - not swinging the hammer, it hires an expensive large muscle-bound man to stop the hammer in mid swing... as long as he's had his morning coffee and is quick on the draw.

Re:What the fuck

[MobileTatsu-NJG]

Yet even sourceforge doesn't provide copy and paste friendly download links anymore. It's got to automatically start your download for you because you're just too fucking lazy to make one more click.

Actually that's an extra stop to serve you ads.

I'm not trusting something government funded....

[Zapotek]

...that puts everything I access on the WWW under scrutiny.
Why should anybody?

Re:Interesting...

[pspahn]

I'm just waiting for Linux and OS X to inevitably catchup once they become viable targets.

I'd say that Linux is already a pretty juicy target. Sure it isn't running on most users' machines, but it does tend to be running on machines that do fairly important things. It already is a target, it's just that it isn't operated by the typical person that likes to lick digital doorknobs.

Re:What the fuck

[Arker]

Yeah, this thing (even if it werent vapour-ware) is papering over the problem many layers up, instead of fixing it in the first place. If a browser permits "drive by" downloads like this, it's got a bug, and it should be fixed there. (And yes, firefox is incredibly buggy in this regard, but at least it's easily patched with extensions.)

Oh joy...

[Anonymous Coward]

So now the browsers don't ever have to fix their bugs.

Re:Which OS?

[Anonymous Coward]

So, let's take that same idiot user and set him up with a nice Linux distro. Say Mint or Ubuntu. Wait a few months and check his machine. It is probably fine. Now do the same to 4 billion more Windows users. Wait 6 months. Do you really believe the scum that put out malware and the like are going to just walk away from the gravy train? Hell no. They will target these same "dumb" users. (BTW, these users might be brilliant in their field; I am only putting them in the "dumb" as computer users. I personally am in the "dumb" category when it comes to something like quantum physics.). It is trivial to write the same "click here to see bewbs" code on any OS. Users grant it admin rights. Most users are clueless. How did this clean up the problem? It just transferred it to a different OS.

Re:Is this another Windows-only problem?

[Arker]

No, I blame the culture of blobware there. Why do you think so many programs are 'poorly written' and why cant they be fixed? They are poorly written because their roots go back to when the MS OS didnt have any concept of a limited user or a security model at all. You cant fix the issue because, in the MS world, you dont actually get any software - you get a binary blob. ANY modifications, bug-fixes, etc. have to come from the vendor. If the vendor doesnt see a profit in it, they wont do it, and you are stuck with it. That is the MS way, and it can still sting even the most knowledgeable and diligent admin when forced to rely on blobware.

ROFL

[znerk]

Clicked the link to "interesting display of the infection rate of different browsers", and got

Hi. Javascript is turned off in your web browser. Good for you!
Ironically, to view our analysis results you do need to enable Javascript.
We promise not to bite.

Aside from the question of why I would need to enable Javascript to view their results, I found it highly amusing... and disturbing.
Kinda gave me the feeling of
"We're not doing anything evil, we promise! Oh, and we need you to let us inside your system's security before we'll give you any information".

Not exactly inspiring any confidence, here.

For instance, why isn't your page dynamically generated server-side, if you're trying to promote safe browsing practices? Oh, right, because you're not; you want me to buy your software...

I think I'll stick with NoScript and AdBlockPlus, thanks - they don't cost anything.

3rd Party

[DrYak]

If a browser permits "drive by" downloads like this, it's got a bug, and it should be fixed there.

But it can't be fixed there.
If you RTFA, you'll notice in their stats that the largest proportion of all threats exploit bugs in Adobe Acrobat and Flash plugins.
No amount of coding in Firefox can fix bugs in Adobe software, short of reverse engineering the plugin and applying binary patches on load to fix it (which should be considered a violation of the plugins license, in the jurisdiction where Firefox' development is happening)

The only real long-term solution would be to completely drop the proprietary plugins in favour of open-source alternative.
(There are already tons of PDF viewer software which is less buggy, among which lots of opensource contenders (anything poppler-based). Now just hope that Gnash and Lightspark become good replacement soon).

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:What the fuck

[Lord Ender]

Modern security relies on the wise supposition that there are and will always be flaws, therefore multiple layers of protection are employed to minimize the possibility of those flaws affecting you. This is called "defense in depth."

Re:Easiest option:

[znerk]

How about instead of having some program trying to figure out who's installing a program, how about no program can install another program? Download only, and it sits harmlessly until the user specifically goes, finds it, and runs it. In fact, have at the OS level, a captcha that needs to be filled in before a program installs. How's that? Think that'll stop anything? Probably work better than BLADE any way.

If I understand you correctly, you're talking about removing the ability to shell out another executable from within an executable. After all, what, exactly, is the difference between an installation app and a regular app?
They both have the ability to modify the Windows registry, output arbitrary data to arbitrary locations, etc - how do you think MS Paint saves that picture file your 3-year-old made by facerolling the keyboard and beating the family dog with the mouse?

"Fine," you state, "just disable the ability for an executable to start another executable, then."

Unfortunately, killing the methods of shelling out to an app would destroy most operating systems' functionality - after all, the kernel is an executable that runs other executables (such as the graphical shell you think is your OS), directly or indirectly.

"Sure," you say, "we can just make it so the kernel can do it, but nothing else."

Ok, now what do you do when *you* want to launch an executable, say by clicking a representation of its logical address located in that previously-mentioned graphical shell (ie, your desktop)?

"Well, we can just let the kernel and the rest of the OS do its thing, then," you respond.

Where do you draw the line?
Photoshop executes a dozen processes when it starts up.
Hitting a flash-enabled website in your browser can launch dozens of processes.
Javascript is "executable code".
A slightly looser definition of "executable code" could include HTML.

In short, this is not the correct direction to be looking for an answer in; your post getting a "+5, Insightful" amazes and bewilders me.

Re:Firefox Addons should be in all browsers...

[znerk]

As a fan of NoScript (the only plugin that *really* keeps me with firefox), I can tell you this: it's too hard to use for normal users.

Yeah, because Joe User can't be bothered to learn the following sequence:

1: Notice that an element of the page isn't "working as intended".
2: Click the little "S" icon in the bottom-right-hand corner of the browser.
3: (this is the one causing the most issues with NoScript usage, IMHO) select only the bare minimum of sites to allow scripting from (typically the one in the address bar, duh)
4: Profit! (view your youtube videos without most of the additional crap/ads/whatever)

Unfortunately, my experience is that the typical response to "my youtube is broken!" is to either "allow all this page" or close FF and use IE...