Advice Request Drive-by downloads: Can you get malware just from visiting a website?

[roger_m]

I tried 17 antiviruses and only three intercepted the last command. F-Secure SAFE (blocked by DeepGuard), Norton AV (blocked by SONAR) and Max Internet Security, all blocked updater.exe from executing. In the case of Max IS, when attempting to launch updater.exe, Access is denied was displayed in the Command window, but I received no alerts.

The following antiviruses, as well as some little known ones, all let the last command run without it being blocked, or showing any alerts.

• 360 TS
• AVG IS
• Bullguard
• Huorong
• IObit Malware Fighter Pro
• Kaspersky Security Cloud
• McAfee IS
• Quick Heal AV Pro
• Webroot
• WiseVector StopX

Hello,
Has anyone tested Kaspersky ?

Kaspersky did not block it.

 

[harlan4096]

I'm not sure if I did correctly, but I just run this .bat in my KTS2021MR3 Patch A (AutoMode/Defaults Settings):

copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit

And I got a warning:

 

[Local Host]

@struppigel is right by saying that drive-by downloads are not so rare. This also follows from the article mentioned in his post. So the answer to the OP is YES. One can get malware when visiting a website, even on updated Windows 10 with an updated web browser. But, the malware will not infect the system without user interaction, except when something is exploited. The danger follows from the fact that the attack can be easily done from a trusted website, for example via malicious Ads. So most people will follow the attacker's instructions and infect the system anyway.

It has been the malware of the century, so I also agree with @struppigel

The fact most Home Users are outdated and filled with junk third-party software, makes them easy targets.

People are so paranoid with Microsoft that go as far as blocking Windows Update, this is why I support Microsoft in enforcing Updates to Home Users.

Hello,
Has anyone tested Kaspersky ?

Kaspersky blocked it here.

 

[roger_m]

After seeing that Kaspersky blocked it for @harlan4096 and @Local Host, I tried it again. Originally I had just pasted each command into a Command Prompt window, but this time I created and launched a batch file. Executing the batch file, did trigger Kaspersky this time.



I selected "Close this application," as I wanted to keep the batch file to test with other antiviruses. Upon selecting this, I received the following alert, which let me specify how long to wait before I would be alerted about it again.

 

[porkpiehat]

ok, S1(cmd) and s2 (bat) were contained by CFW on execution, and S3 (exe) was blocked by WVSX when unpacked from 'Test Scripts'.. result, methinks.

Thanks @cruelsister, for the 'Test Scripts'... always appreciated.

 

[porkpiehat]

I tried 17 antiviruses and only three intercepted the last command. F-Secure SAFE (blocked by DeepGuard), Norton AV (blocked by SONAR) and Max Internet Security, all blocked updater.exe from executing. In the case of Max IS, when attempting to launch updater.exe, Access is denied was displayed in the Command window, but I received no alerts.

The following antiviruses, as well as some little known ones, all let the last command run without it being blocked, or showing any alerts.

• 360 TS
• AVG IS
• Bullguard
• Huorong
• IObit Malware Fighter Pro
• Kaspersky Security Cloud
• McAfee IS
• Quick Heal AV Pro
• Webroot
• WiseVector StopX

Kaspersky did not block it.

• WiseVector StopX blocked S3(exe) upon unpacking.
  

 

[roger_m]

• WiseVector StopX didn't even let S3(exe) unpack from 'Test Scripts'.. blocked it immediately..

This was for the following, not any downloaded files.

copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit

 

[Kongo]

• WiseVector StopX blocked S3(exe) upon unpacking.View attachment 256640

@roger_m is right, executing the code by yourself isn’t blocked by many AV‘s so far as it was user initiated and not really malicious. The exe file however is blocked by Cylance, WiseVector and Sophos (all ML/AI based)

 

[porkpiehat]

This was for the following, not any downloaded files.

copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit

aah, my apologies..

 

[Zartarra]

I tested the DLL hijhacking with Bitdefender Total security, Sophos Home premium, Vipre an Comodo IS.Sophos did nothing. Bitdefender and Vipre blocked the execute (updater.exe). Comodo started the exe in a container.

 

[Venustus]

Norton caught one file the .exe with heuristics and sonar blocked the other 2 files

 

[Ahmed Uchiha]

Hello,
I tested Kaspersky today against this script and saved it as .bat file but, Kaspersky didn't detect it and I checked it with KSN it says it is safe, uploaded to virus total no engine detected it after contacting Kaspersky and report the file they said it is safe nothing malicious in it so, is this file safe or malicious cause system watcher didn't detect it in my case could anyone confirm that? or is that only me.

here is the source code that I used:

copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit

Thank you in advance.

 

[Venustus]

Hello,
I tested Kaspersky today against this script and saved it as .bat file but, Kaspersky didn't detect it and I checked it with KSN it says it is safe, uploaded to virus total no engine detected it after contacting Kaspersky and report the file they said it is safe nothing malicious in it so, is this file safe or malicious cause system watcher didn't detect it in my case could anyone confirm that? or is that only me.

here is the source code that I used:


Thank you in advance.

It's not malicious per se,just a harmless file to test your av

Norton Sonar does block it however

 

[harlan4096]

I tested and got blocked: Q&A - Drive-by downloads: Can you get malware just from visiting a website?

 

[Ahmed Uchiha]

Hello, thank you for your reply I now know that it is not malicious it is should be a harmless test file similar to Eicar test file. I tested it now and nothing showed up from Kaspersky after contacting Kaspersky they said it is false detection and it has been fixed. if it is possible to restest the file now after the database update to check if they actually classified this file as a false positive cause on my end Kaspersky doesn't show any warning like in the screenshots above. thank you so much again for your help.
"https://malwaretips.com/data/attachments/255/255072-0efa25ba6c9b56869e39cab988613a13.jpg"

 

[harlan4096]

I did a re test, and I confirm is not detected anymore, in fact it was tagged as green in KSN:



It seems was blocked at 1st but probably after being analyzed its behavior now is flagged as not malicious...

 

[Ahmed Uchiha]

I did a re test, and I confirm is not detected anymore, in fact it was tagged as green in KSN:

View attachment 256832

It seems was blocked at 1st but probably after being analyzed its behavior now is flagged as not malicious...

Thank you so much so, it is not malicious and Kaspersky at my end is working correctly right?

 

[Kongo]

Thank you so much so, it is not malicious and Kaspersky at my end is working correctly right?

Yep

 

[Yanick]

Emsisoft Anti-Malware detection from the .bat. If ran the commands individually it didn't react.

Heh, last picture is actually the first alert and the first is the last one, messed the numbers bit =P

 

[Ink]

Sadly, this actually works in real world since average Joe uses third-party tools to shut off updates.

Unfortunately it's not just the average joe user, it's members of security communities too.