Boffins releasing tool to foil drive-by attacks

NoScript is a free Mozilla extension that can counter drive-by infections.

One of most frightening threats facing Web surfers is the drive-by infection. The thought that their computer could be infected just by entering a Web site is a sobering one to many websters. Peace of mind, though, may be on the way, as researchers are preparing a free tool that will shield netizens from drive-by menaces.

The tool is called BLADE–Block All Drive-By Download Exploits–and is designed to protect cybernauts from the roughly 5.5 million Web pages containing drive-by malware.

“Unlike push-based approaches adopted by Internet scanning worms and viruses, contemporary malware publishers rely on drive-by exploits for silent dissemination of spyware, trojans and bots,” the researchers from SRI International and Georgia Tech’s School of Computer Science wrote in “BLADE: Slashing the Invisible Channel of Drive-by Download Malware.”

“Drive-by downloads, which result in the unauthorized installation of code through the browser and into the victim host,” they added, “have become one of the dominant means through which mass infections now occur.”

Drive-by traps typically ambush Net goers who have been tardy in keeping their computers’ operating systems and applications current with the latest security patches. Browser vulnerabilities and plug-ins like Adobe Reader and Flash are favorite targets of malicious software writers. They even have “exploit packs” that will probe a Web site visitor’s computer and intelligently determine if any number of vulnerabilities remain unpatched.

According to the researchers, BLADE is a kernel-based monitor designed to block any malware attempted to be delivered through a browser. The tool is based on a simple principle. All browser downloads fall into two categories. There are supported files–files that make Web pages, for instance, HTML, images and such–and unsupported files, EXE, ZIP and so forth. Typically, browsers fetch supported files silently and they’re supposed to alert a user if an unsupported file type is being downloaded. Nefarious Web sites subvert the unsupported file notification function so they can plant their dirty wares on a target computer. What BLADE does is introduce capabilities on the operating system level that prevents execution of all downloaded unsupported content that has not been directly consented to by user-to-browser interaction.

That approach may have some problems. It could interfere with legitimate downloads of unsupported files–downloads, for instance, by programs updating themselves or patching themselves for security reasons.

The tool also focuses on downloads that are written to a hard disk. Some malware is never written to disk and lives only in memory. Those programs would be able to evade BLADE.

According to MIT’s Technology Review, the BLADE researchers have been testing their tool since January.  They have a number of virtual desktops with BLADE installed on them and expose them on a daily basis to exploit sites identified by security experts. Each black Web address is being tested against multiple software configurations covering different browsers and plug-ins.

The researchers told the MIT publication that more than 5150 malicious programs have been thwarted from some 1205 Web sites with drive-by capabilities. Of the total of bad apps, more than half of them targeted vulnerabilities in Adobe Reader. Another quarter focused on Sun Microsystem’s Java platform. The remaining malware zeroed in on weaknesses in Adobe Flash and Microsoft Internet Explorer.

Some anti-virus programs include drive-by protection in their arsenal and a free extension called NoScript for all Mozilla-based browsers, like Firefox, makes a similar claim.

NoScript allows JavaScript, Java, Flash and other plug-ins to only be executed by trusted Web sites chosen by a user. It also boasts that it provides the most powerful cross-site scripting (XSS) protection that can be found in a browser.

Cross-site scripting exploits programming errors made by Web developers. Those errors permit a cracker to inject malicious code from a black site into a white site. The code, for example, could be used to steal a user’s credentials to his or her banking site and allow the cracker to impersonate that user at that site.

With NoScript, execution of JavaScript and other plug-ins can be limited to trusted sites. Sites omitted from the white list of trusted sites, won’t be able to execute scripts, which will foil drive-by locations attempting to surreptitiously install malevolent payloads on a computer.

“NoScript’s unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality,” the company maintains.