Forgot your password?
typodupeerror
Security The Military IT

New Tool Blocks Downloads From Malicious Sites 192

Posted by timothy
from the we're-from-the-government-and-we're-here-to-help dept.
Hugh Pickens writes "Science Daily Headlines reports that a new tool has been developed (funded by the National Science Foundation, US Army Research Office and US Office of Naval Research) to prevent 'drive-by downloads' whereby simply visiting a website, malware can be silently installed on a computer to steal a user's identity and other personal information, launch denial-of-service attacks, or participate in botnet activity. The software called Blade — short for Block All Drive-By Download Exploits — is browser-independent and designed to eliminate all drive-by malware installation threats by tracking how users interact with their browsers to distinguish downloads that received user authorization from those that do not. 'BLADE monitors and analyzes everything that is downloaded to a user's hard drive to cross-check whether the user authorized the computer to open, run or store the file on the hard drive. If the answer is no to these questions, BLADE stops the program from installing or running and removes it from the hard drive,' says Wenke Lee, a professor in the School of Computer Science in Georgia Tech's College of Computing. Blade's testbed automatically harvests malware URLs from multiple whitehat sources on a daily basis and has an interesting display of the infection rate of different browsers, the applications targeted by drive-by exploits, and the anti-virus detect and miss rates of drive-by binaries."
This discussion has been archived. No new comments can be posted.

New Tool Blocks Downloads From Malicious Sites

Comments Filter:
  • by SpacePunk (17960) on Sunday October 10, 2010 @03:19PM (#33853722) Homepage

    Just like flying cars, warp travel, or a cure for cancer.

    WTF folks. Why link it if it's not available? Sure, the "golly gee wiz" effect might get a whole five minutes if someone reads very slowly, but if it's not available then linking to it doesn't do anybody any good. By the time it does become available it will be long forgotten to all except those that make out a 3x5 card, and tacks it up on the wall.

  • Re:Which OS? (Score:2, Insightful)

    by Abstrackt (609015) on Sunday October 10, 2010 @03:23PM (#33853758)

    Make Microsoft Windows ILLEGAL and we'll have taken care of 99.9% of the bullshit that happens on the internet.

    Sorry, but how does that stop people from giving their credit card number to a purple hippopotamus or from buying whatever spam advertises?

  • by Anonymous Coward on Sunday October 10, 2010 @03:26PM (#33853786)

    The day the army/navy/government are responsible for my 'defence' online is coming. It's a red-pill blue-pill thing and I think I will prefer to keep the status-quo, chancing it with the malware from the safety of my linux PC. Running to the military to 'protect me' is simply naff, particularly online.

  • What the fuck (Score:5, Insightful)

    by Anonymous Coward on Sunday October 10, 2010 @03:31PM (#33853818)

    You need a special tool to not automatically download and run the first program your web browser sees?

    Downloads shouldn't start automatically. Downloads shouldn't run automatically.

    Yet even sourceforge doesn't provide copy and paste friendly download links anymore. It's got to automatically start your download for you because you're just too fucking lazy to make one more click.

    BADBDE. Fail.

  • Easiest option: (Score:3, Insightful)

    by twidarkling (1537077) on Sunday October 10, 2010 @03:33PM (#33853840)

    How about instead of having some program trying to figure out who's installing a program, how about no program can install another program? Download only, and it sits harmlessly until the user specifically goes, finds it, and runs it. In fact, have at the OS level, a captcha that needs to be filled in before a program installs. How's that? Think that'll stop anything? Probably work better than BLADE any way.

  • by Moryath (553296) on Sunday October 10, 2010 @03:34PM (#33853848)

    I don't know about progress or eventual usability, but they definitely come up pretty high on the "tortured acronym" list...

  • by Anonymous Coward on Sunday October 10, 2010 @03:54PM (#33854006)

    Most people's default: "Sure, random untrusted entity, run anything you want on my system!"

    Sane people's default: "I'll run it if I have a reason to and it is reasonably known to be safe."

    Guess which group seems to be the one having, and causing, all the problems? Guess which group doesn't need "drive by download blockers"?

    I swear, the world is positively insane. It hits itself in the thumb with a hammer, gets upset at the pain, and instead of just - you know - not swinging the hammer, it hires an expensive large muscle-bound man to stop the hammer in mid swing... as long as he's had his morning coffee and is quick on the draw.

  • Re:What the fuck (Score:4, Insightful)

    by MobileTatsu-NJG (946591) on Sunday October 10, 2010 @04:04PM (#33854068)

    Yet even sourceforge doesn't provide copy and paste friendly download links anymore. It's got to automatically start your download for you because you're just too fucking lazy to make one more click.

    Actually that's an extra stop to serve you ads.

  • ...that puts everything I access on the WWW under scrutiny.
    Why should anybody?
  • Re:Interesting... (Score:5, Insightful)

    by pspahn (1175617) on Sunday October 10, 2010 @04:15PM (#33854132)

    I'm just waiting for Linux and OS X to inevitably catchup once they become viable targets.

    I'd say that Linux is already a pretty juicy target. Sure it isn't running on most users' machines, but it does tend to be running on machines that do fairly important things. It already is a target, it's just that it isn't operated by the typical person that likes to lick digital doorknobs.

  • Re:What the fuck (Score:4, Insightful)

    by Arker (91948) on Sunday October 10, 2010 @04:24PM (#33854192) Homepage
    Yeah, this thing (even if it werent vapour-ware) is papering over the problem many layers up, instead of fixing it in the first place. If a browser permits "drive by" downloads like this, it's got a bug, and it should be fixed there. (And yes, firefox is incredibly buggy in this regard, but at least it's easily patched with extensions.)
  • Oh joy... (Score:1, Insightful)

    by Anonymous Coward on Sunday October 10, 2010 @04:26PM (#33854204)

    So now the browsers don't ever have to fix their bugs.

  • Re:Which OS? (Score:2, Insightful)

    by Anonymous Coward on Sunday October 10, 2010 @05:02PM (#33854392)
    So, let's take that same idiot user and set him up with a nice Linux distro. Say Mint or Ubuntu. Wait a few months and check his machine. It is probably fine. Now do the same to 4 billion more Windows users. Wait 6 months. Do you really believe the scum that put out malware and the like are going to just walk away from the gravy train? Hell no. They will target these same "dumb" users. (BTW, these users might be brilliant in their field; I am only putting them in the "dumb" as computer users. I personally am in the "dumb" category when it comes to something like quantum physics.). It is trivial to write the same "click here to see bewbs" code on any OS. Users grant it admin rights. Most users are clueless. How did this clean up the problem? It just transferred it to a different OS.
  • by Arker (91948) on Sunday October 10, 2010 @05:23PM (#33854534) Homepage
    No, I blame the culture of blobware there. Why do you think so many programs are 'poorly written' and why cant they be fixed? They are poorly written because their roots go back to when the MS OS didnt have any concept of a limited user or a security model at all. You cant fix the issue because, in the MS world, you dont actually get any software - you get a binary blob. ANY modifications, bug-fixes, etc. have to come from the vendor. If the vendor doesnt see a profit in it, they wont do it, and you are stuck with it. That is the MS way, and it can still sting even the most knowledgeable and diligent admin when forced to rely on blobware.
  • ROFL (Score:4, Insightful)

    by znerk (1162519) on Sunday October 10, 2010 @06:57PM (#33855028)

    Clicked the link to "interesting display of the infection rate of different browsers", and got

    Hi. Javascript is turned off in your web browser. Good for you!
    Ironically, to view our analysis results you do need to enable Javascript.
    We promise not to bite.

    Aside from the question of why I would need to enable Javascript to view their results, I found it highly amusing... and disturbing.
    Kinda gave me the feeling of
    "We're not doing anything evil, we promise! Oh, and we need you to let us inside your system's security before we'll give you any information".

    Not exactly inspiring any confidence, here.

    For instance, why isn't your page dynamically generated server-side, if you're trying to promote safe browsing practices? Oh, right, because you're not; you want me to buy your software...

    I think I'll stick with NoScript and AdBlockPlus, thanks - they don't cost anything.

  • 3rd Party (Score:3, Insightful)

    by DrYak (748999) on Sunday October 10, 2010 @07:08PM (#33855080) Homepage

    If a browser permits "drive by" downloads like this, it's got a bug, and it should be fixed there.

    But it can't be fixed there.
    If you RTFA, you'll notice in their stats that the largest proportion of all threats exploit bugs in Adobe Acrobat and Flash plugins.
    No amount of coding in Firefox can fix bugs in Adobe software, short of reverse engineering the plugin and applying binary patches on load to fix it (which should be considered a violation of the plugins license, in the jurisdiction where Firefox' development is happening)

    The only real long-term solution would be to completely drop the proprietary plugins in favour of open-source alternative.
    (There are already tons of PDF viewer software which is less buggy, among which lots of opensource contenders (anything poppler-based). Now just hope that Gnash and Lightspark become good replacement soon).

  • Re:Which OS? (Score:2, Insightful)

    by hairyfeet (841228) <bassbeast1968@gm[ ].com ['ail' in gap]> on Sunday October 10, 2010 @07:13PM (#33855094) Journal

    I know I shouldn't feed the troll but wtf, I'm bored. You sir MR AC, are falling victim to "magical thinking" made all the worse because it is pretty obvious you are a hardcore FLOSSie, which means you treat your OS as a religion instead of a tool. FLOSS IS good if you know what you're doing but it isn't a magic miracle cure. You see ALL OSes have weaknesses, full stop. Or are you forgetting the SIX YEAR OLD X flaw that was just patched recently? And magical thinking is "product X will SAVE us!" which never works because it just makes you lazy to security best practices. The latest windows? Actually pretty damned secure if it weren't for dumbasses behind the keyboard or as we in the repair biz like to call them the "ID10T errors". The biggest bug going around right now I'm seeing is Security Tool variants that the user INSTALLS just because a website presents a pop up or warning banner similar to a Windows one and offers them a "free AV" product.

    Now can you name a SINGLE thing there that is Windows specific? Can they make a dialog box look like an Ubuntu one? Not a problem there. Does the user have the right to install on their own machine? Yep again. Will putting them on a different OS magically make them stop clicking on stupid shit? Not a chance in hell pal, I should know because I done tried it. I had a customer that was a "must click on teh prons!" type of dumbass, so I put him on a Linux (it was either PCLOS or Mepis, which ever had the newest release ATT) and he made it completely unbootable in less than a week. How did he do that? By deciding he didn't like that whole "package manager thingie" and instead googling "Linux programs" and installing a bunch of shit off fresh meat that put him in dependency hell.

    So you see MR FLOSSie AC, despite the fact that we here on /. have to deal with a dozen "Ban Windblowz LOL!" posts on anything even remotely having to do with windows, magical thinking does not and will never work because the ONLY true security is a top to bottom approach running everything with least permissions and not installing random shit from the web. If you made Linux 100% of the market tomorrow not 24 hours later people would be getting "Happy kitten screensave" .sh, with instructions on how to install same and they would do it or are you forgetting those that got infected by installing random KDE themes from KDELook?

  • Re:What the fuck (Score:3, Insightful)

    by Lord Ender (156273) on Sunday October 10, 2010 @07:25PM (#33855162) Homepage

    Modern security relies on the wise supposition that there are and will always be flaws, therefore multiple layers of protection are employed to minimize the possibility of those flaws affecting you. This is called "defense in depth."

  • Re:Easiest option: (Score:5, Insightful)

    by znerk (1162519) on Sunday October 10, 2010 @07:28PM (#33855176)

    How about instead of having some program trying to figure out who's installing a program, how about no program can install another program? Download only, and it sits harmlessly until the user specifically goes, finds it, and runs it. In fact, have at the OS level, a captcha that needs to be filled in before a program installs. How's that? Think that'll stop anything? Probably work better than BLADE any way.

    If I understand you correctly, you're talking about removing the ability to shell out another executable from within an executable. After all, what, exactly, is the difference between an installation app and a regular app?
    They both have the ability to modify the Windows registry, output arbitrary data to arbitrary locations, etc - how do you think MS Paint saves that picture file your 3-year-old made by facerolling the keyboard and beating the family dog with the mouse?

    "Fine," you state, "just disable the ability for an executable to start another executable, then."

    Unfortunately, killing the methods of shelling out to an app would destroy most operating systems' functionality - after all, the kernel is an executable that runs other executables (such as the graphical shell you think is your OS), directly or indirectly.

    "Sure," you say, "we can just make it so the kernel can do it, but nothing else."

    Ok, now what do you do when *you* want to launch an executable, say by clicking a representation of its logical address located in that previously-mentioned graphical shell (ie, your desktop)?

    "Well, we can just let the kernel and the rest of the OS do its thing, then," you respond.

    Where do you draw the line?
    Photoshop executes a dozen processes when it starts up.
    Hitting a flash-enabled website in your browser can launch dozens of processes.
    Javascript is "executable code".
    A slightly looser definition of "executable code" could include HTML.

    In short, this is not the correct direction to be looking for an answer in; your post getting a "+5, Insightful" amazes and bewilders me.

  • by znerk (1162519) on Sunday October 10, 2010 @08:48PM (#33855510)

    As a fan of NoScript (the only plugin that *really* keeps me with firefox), I can tell you this: it's too hard to use for normal users.

    Yeah, because Joe User can't be bothered to learn the following sequence:

    1: Notice that an element of the page isn't "working as intended".
    2: Click the little "S" icon in the bottom-right-hand corner of the browser.
    3: (this is the one causing the most issues with NoScript usage, IMHO) select only the bare minimum of sites to allow scripting from (typically the one in the address bar, duh)
    4: Profit! (view your youtube videos without most of the additional crap/ads/whatever)

    Unfortunately, my experience is that the typical response to "my youtube is broken!" is to either "allow all this page" or close FF and use IE...

Only great masters of style can succeed in being obtuse. -- Oscar Wilde Most UNIX programmers are great masters of style. -- The Unnamed Usenetter

Working...