Advice Request Drive-by downloads: Can you get malware just from visiting a website?

[plat]

Nothing, no consequences. HitmanPro.Alert blocked this completely.

The lesson was to keep all software updated, everything. I learned it the best way: not by someone preaching and yapping at me to DO this or DO that but by an actual, tangible experience. Plus, I think much of the risk is lowered nowadays by the outright removal of specific browser plugins, as I said above.

Not that I would wish this on anyone but the "best" kick in the pants to stop being complacent and stubborn is a a mere whiff of this nasty stuff. But there are exceptions and some simply can't update and can't afford newer devices. It's a tough call sometimes and you have to do you first.

By the way, it's nice of Emsi to provide this kind of info, pls don't misread my intentions. But it's also helpful to be more aware of what your actual threat model is.

 

[plat]

However, some people are so paranoid about drive-by downloads that they can't live without Sandboxie. I think that's going too far.

Ouch, shmu! Some like SBIE for the geek-like experience. It ain't hurting nothing!

It's a fun software! (listen to plat, she got a direct smack, now she's all defensive and ooey-gooey )

 

[Ink]

In cybersecurity, each slice of cheese in the Swiss cheese model represents a layer of protection. The more slices of cheese you have, the greater the chance of stopping malware before it can infect your system. Combining multiple security technologies that address vulnerabilities on both a network and end-user level is crucial for ensuring that all attack vectors are secured, and that threats can be identified and remediated if prevention is not possible.

Link: How we use the Swiss cheese model to prevent malware infections | Emsisoft | Security Blog

 

[shmu26]

Ouch, shmu! Some like SBIE for the geek-like experience. It ain't hurting nothing!

It's a fun software! (listen to plat, she got a direct smack, now she's all defensive and ooey-gooey )

I agree, SBIE is fun. I would probably use it, if it didn't interfere with my workflow.

 

[roger_m]

@struppigel It has been my experience over many years that it is exceptionally rare to get infected just by visiting a website. I'm not talking about getting infected by manually opening a file that was downloaded, but getting infected without having to open any files. The only time I've ever been infected just by visiting a website, was on a system that was running outdated versions of Java and Flash, and that happened many years ago. I spend many hours surfing the web, with an ad-blocker being the only form of web protection I use. I fairly often visit random websites, which I know nothing about, that could potentially be harmful. Despite this, I only get infected when I manually launch an infected file. Sometimes I encounter websites which want me to download some random exe files, which no doubt are harmful or can download and install some third party software. But in order for me to get infected in these instances, it would require me to actually download and execute the files. Don't get me wrong, I'm not trying to be dismissive of your professional experience, but this has been my experience over many years.

I'd be interested to see some data specially about infections that occur just by visiting websites on computers that are kept updated, rather than drive by downloads which require the user to open them to infect the system.

 

[zoran popovic]

How to Identify and Protect Yourself from an Unsafe Website : TechWeb : Boston University

www.bu.edu

can you get a virus/malware just by visiting a website? - General Security

Page 1 of 2 - can you get a virus/malware just by visiting a website? - posted in General Security: Hello, So Ive always wondered if you can get a virus/malware just by visiting a website? I always thought this was a No, because I believe a user is only infected when he/she opens up that...

www.bleepingcomputer.com

Virus Basics | CISA

Discover more about computer viruses.

us-cert.cisa.gov

Sectigo

Can you get virus just by visiting a website in Chrome?

I've recently read Google Chrome: The End of Drive-By Downloads. Is it true to say that drive-by-downloads are history in Google Chrome? So if I have a link (from a spam email) I can right-click >...

security.stackexchange.com

Can You Get Viruses or Malware Just by Visiting a Website? | Antivirus Jar

People wonder if you can get viruses or malware just by visiting a website. And they risk walking away with inaccurate information.

antivirusjar.com

Can you Get Hacked by Visiting a Website? | Fake Site Checker

Can you get hacked by visiting a website? Yes, you can get hacked by visiting yourself, your company, and your website. Try cWatch website security today!

cwatch.comodo.com

Norton | Page not found

us.norton.com

A malicious website can infect my iPhone. Fact or fiction?

Some say you can get malware on your iPhone simply by visiting a dangerous Web page. We examine the rumor to get at the truth.

usa.kaspersky.com

How does Malicious Website Infect? Can you get Infected by just Visiting

Countless experts are warning the public about online threats. Malicious software is rapidly evolving. It continuously grows from a pure annoyance to financially damaging applications. Users are often oblivious to such dangers. Here is an explanatory article on how does malicious websites infect...

www.malwarefox.com

Prevent malware infection - Microsoft Defender for Endpoint

Learn steps you can take to help prevent a malware or potentially unwanted software from infecting your computer.

docs.microsoft.com

How Malicious Websites Infect You in Unexpected Ways

Afraid you might stumble on a malicious website and get infected with malware? This article teaches you how to prevent that.

www.google.com

 

[Sunshine-boy]

outdated software and/ or browser exploits.

Or HMPA?

 

[Andy Ful]

@struppigel is right by saying that drive-by downloads are not so rare. This also follows from the article mentioned in his post. So the answer to the OP is YES. One can get malware when visiting a website, even on updated Windows 10 with an updated web browser. But, the malware will not infect the system without user interaction, except when something is exploited. The danger follows from the fact that the attack can be easily done from a trusted website, for example via malicious Ads. So most people will follow the attacker's instructions and infect the system anyway.

 

[struppigel]

@struppigel It has been my experience over many years that it is exceptionally rare to get infected just by visiting a website. I'm not talking about getting infected by manually opening a file that was downloaded, but getting infected without having to open any files. The only time I've ever been infected just by visiting a website, was on a system that was running outdated versions of Java and Flash, and that happened many years ago. I spend many hours surfing the web, with an ad-blocker being the only form of web protection I use. I fairly often visit random websites, which I know nothing about, that could potentially be harmful. Despite this, I only get infected when I manually launch an infected file. Sometimes I encounter websites which want me to download some random exe files, which no doubt are harmful or can download and install some third party software. But in order for me to get infected in these instances, it would require me to actually download and execute the files. Don't get me wrong, I'm not trying to be dismissive of your professional experience, but this has been my experience over many years.

I'd be interested to see some data specially about infections that occur just by visiting websites on computers that are kept updated, rather than drive by downloads which require the user to open them to infect the system.

Hi. @shmu26 and me had a misunderstanding, which we resolved via PM. One lesson for me is that we do need to get our terminology clear before discussing. So let me do this first to avoid further misunderstandings.
Drive-by download means: The download is executed on its own. The downloaded file not necessarily.
When @shmu26 referred to "drive-by downloads that ran without user intervention" he meant the downloaded file is executed without user intervention whereas for me it meant the download is executed (happens) without user intervention.

A drive-by download that also executes the downloaded file on its own is more rare, yes, because the attack surface is lower. Most have some portion of social engineering to make the latter happen.

One word of caution, though, I have no hard data on this, this is only based on what I have seen during my work. There are recent campaigns, e.g., the malware in this one from 2 months ago, which will automatically check whether the browser can be exploited to also execute the downloaded file. So depending on the vulnerabilities of the affected system, the very same malware site will either require you to click or execute the downloaded file on it's own.

Whether you call that rare depends on how you count it.
Are they actively used? Yes.
Does it affect updated systems and browsers? Hardly
Are oudated systems common? Unfortunately more than we'd like.

 

[cruelsister]

Speaking of drive-by's, looks like our old friends from the DPRK (I'll bet the Lazarus Group who were responsible for the Zinc Malware Chrome browser exploit a couple of months ago) are at it again.

Seems they are trying to start a new one with a fake security company (SecuriElite-dot-com). The website is currently devoid of any exploits and is being blocked by everyone and their cat, but expiring minds want to know if there were any initial infections prior to things being toned down.

 

[Andy Ful]

The nasty thing related to drive-by downloads is that a user can download & execute only safe files and still the malicious code can be executed without user (direct) interaction. For example, this can be done when the hacked/malicious website will drop a malicious DLL into the User Downloads folder and the user will download and execute a legal file (usually digitally signed) vulnerable to DLL hijacking. This method can be still detected by standard AV modules (signatures, heuristics, behavior-based) but it will bypass most anti-exe solutions and many protections based on EXE reputation/sandbox Cloud lookup (Windows Smartscreen Application Reputation, Avast/AVG Hardened Mode and CyberCapture, etc.). Also using Virus Total and online Sandboxes to check the downloaded EXE file will not help. Some reputation-based solutions (like Norton Download Insight) can stop such attacks. Also, some other AVs can be configured to do so (Kaspersky, Comodo, etc.).

 

[wat0114]

For example, this can be done when the hacked/malicious website will drop a malicious DLL into the User Downloads folder and the user will download and execute a legal file (usually digitally signed) vulnerable to DLL hijacking.

Hi Andy,

is there a threat you know of currently in circulation doing this, and iis there an analysis on it somewhere? I'm curious because I like to read up on these threats.

 

[Andy Ful]

Hi Andy,

is there a threat you know of currently in circulation doing this, and iis there an analysis on it somewhere? I'm curious because I like to read up on these threats.

I did not hear about the widespread threats of this kind. If they are used then most probably in the targeted attacks on Enterprises, like most of such attacks. There are more popular methods based on DLL hijacking and they are still very effective, so there is no need for attackers to use something new (until they change their minds).

Hijack Execution Flow: DLL Search Order Hijacking, Sub-technique T1574.001 - Enterprise | MITRE ATT&CK®

attack.mitre.org

 

[wat0114]

I did not hear about the widespread threats of this kind. If they are used then most probably in the targeted attacks on Enterprises, like most of such attacks. There are more popular methods based on DLL hijacking and they are still very effective, so there is no need for attackers to use something new (until they change their minds).

Hijack Execution Flow: DLL Search Order Hijacking, Sub-technique T1574.001 - Enterprise | MITRE ATT&CK®

attack.mitre.org

Thanks for the link, Andy. I guess the most important bit I took from the article was: "Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL". I suppose this would be more of an enterprise-type attack.

I think drive-bys are probably very difficult to successfully pull off on the home user if the software is kept up to date, especially browsers, plugins kept to bare necessary only, and they are running AV and smartscreen filtering. Add in a good ad blocker, especially one that will actually block 3rd-party scripts and iframes, and you're closer to bulletproof. All else such as SRP, OS hardening techniques, HIPS is all icing on the cake and maybe even overkill depending on the implementation.

In linux Debian dual-booted with Windows 10 Pro I have all network-listening services, my web browsers and email client confined with quite strict Apparmor policies. Probably overkill but it was fun to set up and just as much fun to maintain.

 

[Andy Ful]

I think drive-bys are probably very difficult to successfully pull off on the home user if the software is kept up to date, especially browsers, plugins kept to bare necessary only, and they are running AV and smartscreen filtering. Add in a good ad blocker, especially one that will actually block 3rd-party scripts and iframes, and you're closer to bulletproof. All else such as SRP, OS hardening techniques, HIPS is all icing on the cake and maybe even overkill depending on the implementation.

Unfortunately, most people do not block 3rd party scripts and iframes. Many people do not use any Adblocker. Most people are also vulnerable to social engineering techniques, especially when visiting trusted websites.
So, they are still vulnerable to drive-by downloads even on updated Windows 10 with an updated web browser.
But, this vulnerability is currently used when the target can be also exploited to execute the payload. Many such attacks are prevented by web protection features of web browsers and AVs. So, in the end, successful attacks against the home users on Windows 10 (updated system/software) are very rare.

 

[danb]

Here is a quick test.

DLL Search Order Hijacking - Protect with Red Canary

DLL Search Order Hijacking allows adversaries to introduce malicious binaries in a way that can be difficult to detect.

redcanary.com

 

[wat0114]

Here is a quick test.

DLL Search Order Hijacking - Protect with Red Canary

DLL Search Order Hijacking allows adversaries to introduce malicious binaries in a way that can be difficult to detect.

redcanary.com

It's just copying files to those directories. No execution of anything that I can see. If I simply execute the following instead:

%windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe

OSArmor prevents cmd.exe from executing powershell.

Edit

after some more thought, I guess the test is just illustrating that malicious files could be dropped into userspace directories if they escape detetction from AV and whatnot, and the malicious library could be loaded so that's obviously not a good thing.

 

[porkpiehat]

It's just copying files to those directories. No execution of anything that I can see. If I simply execute the following instead:

%windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe

OSArmor prevents cmd.exe from executing powershell.

Edit

after some more thought, I guess the test is just illustrating that malicious files could be dropped into userspace directories if they escape detetction from AV and whatnot, and the malicious library could be loaded so that's obviously not a good thing.

BUGGER!
same here... Comodo contains the powershell exe..

 

[Andy Ful]

@wat0114, @porkpiehat​

The below test:

copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit

requires Command Prompt. PowerShell is not executed at all.
Simply open Command Prompt and paste/execute the code.
OSA blocks this in another way:

 

[Venustus]

Bitdefender Block: