Q&A Drive-by downloads: Can you get malware just from visiting a website?

roger_m

Level 32
Verified
Content Creator
Dec 4, 2014
2,189
I tried 17 antiviruses and only three intercepted the last command. F-Secure SAFE (blocked by DeepGuard), Norton AV (blocked by SONAR) and Max Internet Security, all blocked updater.exe from executing. In the case of Max IS, when attempting to launch updater.exe, Access is denied was displayed in the Command window, but I received no alerts.

The following antiviruses, as well as some little known ones, all let the last command run without it being blocked, or showing any alerts.
  • 360 TS
  • AVG IS
  • Bullguard
  • Huorong
  • IObit Malware Fighter Pro
  • Kaspersky Security Cloud
  • McAfee IS
  • Quick Heal AV Pro
  • Webroot
  • WiseVector StopX

Hello,
Has anyone tested Kaspersky ?
Kaspersky did not block it.
 

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Apr 28, 2015
7,146
I'm not sure if I did correctly, but I just run this .bat in my KTS2021MR3 Patch A (AutoMode/Defaults Settings):
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit

And I got a warning:

1617868021225.png

1617868104403.png

1617868267823.png
 

Local Host

Level 23
Verified
Sep 26, 2017
1,270
@struppigel is right by saying that drive-by downloads are not so rare. This also follows from the article mentioned in his post. So the answer to the OP is YES. One can get malware when visiting a website, even on updated Windows 10 with an updated web browser. But, the malware will not infect the system without user interaction, except when something is exploited. The danger follows from the fact that the attack can be easily done from a trusted website, for example via malicious Ads. So most people will follow the attacker's instructions and infect the system anyway.
It has been the malware of the century, so I also agree with @struppigel

The fact most Home Users are outdated and filled with junk third-party software, makes them easy targets.

People are so paranoid with Microsoft that go as far as blocking Windows Update, this is why I support Microsoft in enforcing Updates to Home Users.
Hello,
Has anyone tested Kaspersky ?
Kaspersky blocked it here.
 

roger_m

Level 32
Verified
Content Creator
Dec 4, 2014
2,189
After seeing that Kaspersky blocked it for @harlan4096 and @Local Host, I tried it again. Originally I had just pasted each command into a Command Prompt window, but this time I created and launched a batch file. Executing the batch file, did trigger Kaspersky this time.

Kaspersky.png

I selected "Close this application," as I wanted to keep the batch file to test with other antiviruses. Upon selecting this, I received the following alert, which let me specify how long to wait before I would be alerted about it again.

Kaspersky 2.png
 

porkpiehat

Level 6
May 30, 2015
276
I tried 17 antiviruses and only three intercepted the last command. F-Secure SAFE (blocked by DeepGuard), Norton AV (blocked by SONAR) and Max Internet Security, all blocked updater.exe from executing. In the case of Max IS, when attempting to launch updater.exe, Access is denied was displayed in the Command window, but I received no alerts.

The following antiviruses, as well as some little known ones, all let the last command run without it being blocked, or showing any alerts.
  • 360 TS
  • AVG IS
  • Bullguard
  • Huorong
  • IObit Malware Fighter Pro
  • Kaspersky Security Cloud
  • McAfee IS
  • Quick Heal AV Pro
  • Webroot
  • WiseVector StopX


Kaspersky did not block it.
  • WiseVector StopX blocked S3(exe) upon unpacking.
    Screenshot 2021-04-08 112310.png
 
Last edited:

roger_m

Level 32
Verified
Content Creator
Dec 4, 2014
2,189
  • WiseVector StopX didn't even let S3(exe) unpack from 'Test Scripts'.. blocked it immediately..
This was for the following, not any downloaded files.
Code:
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit
 

Ahmed Uchiha

New Member
Feb 5, 2021
8
Hello,
I tested Kaspersky today against this script and saved it as .bat file but, Kaspersky didn't detect it and I checked it with KSN it says it is safe, uploaded to virus total no engine detected it after contacting Kaspersky and report the file they said it is safe nothing malicious in it so, is this file safe or malicious cause system watcher didn't detect it in my case could anyone confirm that? or is that only me.

here is the source code that I used:
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit

Thank you in advance.
 
Last edited by a moderator:
  • Like
Reactions: JB007 and venustus

venustus

Level 57
Verified
Trusted
Content Creator
Dec 30, 2012
4,688
Hello,
I tested Kaspersky today against this script and saved it as .bat file but, Kaspersky didn't detect it and I checked it with KSN it says it is safe, uploaded to virus total no engine detected it after contacting Kaspersky and report the file they said it is safe nothing malicious in it so, is this file safe or malicious cause system watcher didn't detect it in my case could anyone confirm that? or is that only me.

here is the source code that I used:


Thank you in advance.
It's not malicious per se,just a harmless file to test your av

Norton Sonar does block it however
 

Ahmed Uchiha

New Member
Feb 5, 2021
8
Hello, thank you for your reply I now know that it is not malicious it is should be a harmless test file similar to Eicar test file. I tested it now and nothing showed up from Kaspersky after contacting Kaspersky they said it is false detection and it has been fixed. if it is possible to restest the file now after the database update to check if they actually classified this file as a false positive cause on my end Kaspersky doesn't show any warning like in the screenshots above. thank you so much again for your help.
"https://malwaretips.com/data/attachments/255/255072-0efa25ba6c9b56869e39cab988613a13.jpg"
 
Top