New Tool Blocks Downloads From Malicious Sites 192
Hugh Pickens writes "Science Daily Headlines reports that a new tool has been developed (funded by the National Science Foundation, US Army Research Office and US Office of Naval Research) to prevent 'drive-by downloads' whereby simply visiting a website, malware can be silently installed on a computer to steal a user's identity and other personal information, launch denial-of-service attacks, or participate in botnet activity. The software called Blade — short for Block All Drive-By Download Exploits — is browser-independent and designed to eliminate all drive-by malware installation threats by tracking how users interact with their browsers to distinguish downloads that received user authorization from those that do not. 'BLADE monitors and analyzes everything that is downloaded to a user's hard drive to cross-check whether the user authorized the computer to open, run or store the file on the hard drive. If the answer is no to these questions, BLADE stops the program from installing or running and removes it from the hard drive,' says Wenke Lee, a professor in the School of Computer Science in Georgia Tech's College of Computing. Blade's testbed automatically harvests malware URLs from multiple whitehat sources on a daily basis and has an interesting display of the infection rate of different browsers, the applications targeted by drive-by exploits, and the anti-virus detect and miss rates of drive-by binaries."
Prior art (Score:3, Interesting)
Sounds like Mac OS X.
Re:Prior art (Score:3, Interesting)
I was thinking more along the lines of:
Well, it's called Tron. It's a security program itself, actually. It monitors all contacts between our system and other systems. It finds anything going on that's not scheduled, it shuts it down. I sent you a memo on it.
Life mirrors art? Then again, maybe I just have Tron on my brain after seeing an extended 3-D preview of Tron: Legacy at Disney's California Adventure on Friday. If anyone reading this can, I highly recommend visiting DCA to see the ElecTRONica section they have going on (Friday through Sunday nights). Flynn's Arcade is pretty well done.
No, I am in no way affiliated with Disney either. Just a fan of Tron.
Interesting... (Score:1, Interesting)
If AV's were not so useless and purely reactive, they would be doing this in the first place. Maybe it will be adopted into them.
Of course, this would not be needed if we could educate people to keep everything updated with security patches, and not let random programs run as admin.
I'm just waiting for Linux and OS X to inevitably catchup once they become viable targets.
Is this another Windows-only problem? (Score:4, Interesting)
Are there any other OS vulnerable to drive-by downloads? Funny how they rarely mention which OS are affected.
I'm guessing Mac OS X and Linux are both better protected since the OS can't initiate a program installation and then run it without the user permission.
Re:What the fuck (Score:3, Interesting)
I'm guessing they want to prevent other websites from linking to the downloads directly and have them link to the project webpage instead.
Re:Which OS? (Score:4, Interesting)
That's like saying we shouldn't remove deadly exploding cars from the roads because 5% of the drivers are too stupid to drive. There's no link between the two. We can fix the Windows problem by removing it from the internet. Fixing users is done via education.
Right. But the percentages are wrong... the original asserted that removing windows would fix 99.9% of the bullshit on the internet. The parent correctly pointed out that it would do no such thing. "user" issues account for far more than 0.01% of the problem. Removing the Windows "exploding cars" might not even make a dent.
That's not to say we shouldn't remove the exploding cars, but we shouldn't justify it by claiming its going to fix the internet in any meaningful way.
Moreover, the windows as exploding car metaphor is flawed, because the OSX and Linux cars are not really inherently that much more secure in the hands of lowest common denominator users. If you pull the exploding windows cars off the internet within a few months you'll have exploding osx and linux cars to contend with.
Idiot users will let malware infest their systems regardless of what OS they are given if the malware asks them too. Right now, most malware doesn't work on Windows, but if you banned windows overnight, then a week later the internet would be a crap flood of malware that worked on linux or osx.
(Probably linux, because there is no way people could switch to OSX without buying apple hardware...so it would be a less popular choice.)
Re:Is this another Windows-only problem? (Score:1, Interesting)
All of our clients have been running their Windows systems with "Limited User" rights for a decade or more (except the few cases where this is not possible due to poorly written software) and we've never seen a drive-by download nor malware infection in any of these Limited Rights systems.
You cannot blame *any* OS for poor administrator configuration of rights. Blame the sysadmin.
Re:how about just flipping the damn default? (Score:5, Interesting)
"Drive by download" is just a made up excuse by people who don't want to admit to what they were doing when they installed some malware yet again.
Yeah, like the user moving their mouse out of the way to read the text of an article, and coincidentally mousing over an ad purchased by a malware distributer that *looks* legit, and is on a legit site, but is actually just a method to throw their nasty bot into the download stream.
And before you protest that you've never seen that happen, I would like to inform you that I have - with my own eyes. Anecdotal evidence aside, this is factual to me.
More and more frequently, I'm seeing people saying that Windows is the primary security risk on the internet. Perhaps we should look into that.
Re:Is this another Windows-only problem? (Score:3, Interesting)
They are poorly written because their roots go back to when the MS OS didnt have any concept of a limited user or a security model at all.
That isn't the answer. Windows NT introduced the idea of user permissios back in July 1993. If you wanted to be able to use the official "Written for Windows" certification (or whatever it was called at the time) then your software had to work as a limited user. If developers adhered to Microsoft's programming guidelines they would have got rid of the full-access assumption years ago.
And if developers had done this, then we would have all been running as standard users long before Vista. Even then, they only got this to work by crippling the administrator account into a semi-limited user mode.