Advice Request Drive-by downloads: Can you get malware just from visiting a website?

Please provide comments and solutions that are helpful to the author of this topic.

roger_m

Level 42
Verified
Top Poster
Content Creator
Dec 4, 2014
3,187
I tried 17 antiviruses and only three intercepted the last command. F-Secure SAFE (blocked by DeepGuard), Norton AV (blocked by SONAR) and Max Internet Security, all blocked updater.exe from executing. In the case of Max IS, when attempting to launch updater.exe, Access is denied was displayed in the Command window, but I received no alerts.

The following antiviruses, as well as some little known ones, all let the last command run without it being blocked, or showing any alerts.
  • 360 TS
  • AVG IS
  • Bullguard
  • Huorong
  • IObit Malware Fighter Pro
  • Kaspersky Security Cloud
  • McAfee IS
  • Quick Heal AV Pro
  • Webroot
  • WiseVector StopX

Hello,
Has anyone tested Kaspersky ?
Kaspersky did not block it.
 

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,948
I'm not sure if I did correctly, but I just run this .bat in my KTS2021MR3 Patch A (AutoMode/Defaults Settings):
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit

And I got a warning:

1617868021225.png

1617868104403.png

1617868267823.png
 
L

Local Host

@struppigel is right by saying that drive-by downloads are not so rare. This also follows from the article mentioned in his post. So the answer to the OP is YES. One can get malware when visiting a website, even on updated Windows 10 with an updated web browser. But, the malware will not infect the system without user interaction, except when something is exploited. The danger follows from the fact that the attack can be easily done from a trusted website, for example via malicious Ads. So most people will follow the attacker's instructions and infect the system anyway.
It has been the malware of the century, so I also agree with @struppigel

The fact most Home Users are outdated and filled with junk third-party software, makes them easy targets.

People are so paranoid with Microsoft that go as far as blocking Windows Update, this is why I support Microsoft in enforcing Updates to Home Users.
Hello,
Has anyone tested Kaspersky ?
Kaspersky blocked it here.
 

roger_m

Level 42
Verified
Top Poster
Content Creator
Dec 4, 2014
3,187
After seeing that Kaspersky blocked it for @harlan4096 and @Local Host, I tried it again. Originally I had just pasted each command into a Command Prompt window, but this time I created and launched a batch file. Executing the batch file, did trigger Kaspersky this time.

Kaspersky.png

I selected "Close this application," as I wanted to keep the batch file to test with other antiviruses. Upon selecting this, I received the following alert, which let me specify how long to wait before I would be alerted about it again.

Kaspersky 2.png
 

porkpiehat

Level 6
Verified
Well-known
May 30, 2015
277
I tried 17 antiviruses and only three intercepted the last command. F-Secure SAFE (blocked by DeepGuard), Norton AV (blocked by SONAR) and Max Internet Security, all blocked updater.exe from executing. In the case of Max IS, when attempting to launch updater.exe, Access is denied was displayed in the Command window, but I received no alerts.

The following antiviruses, as well as some little known ones, all let the last command run without it being blocked, or showing any alerts.
  • 360 TS
  • AVG IS
  • Bullguard
  • Huorong
  • IObit Malware Fighter Pro
  • Kaspersky Security Cloud
  • McAfee IS
  • Quick Heal AV Pro
  • Webroot
  • WiseVector StopX


Kaspersky did not block it.
  • WiseVector StopX blocked S3(exe) upon unpacking.
    Screenshot 2021-04-08 112310.png
 
Last edited:

roger_m

Level 42
Verified
Top Poster
Content Creator
Dec 4, 2014
3,187
  • WiseVector StopX didn't even let S3(exe) unpack from 'Test Scripts'.. blocked it immediately..
This was for the following, not any downloaded files.
Code:
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit
 

Ahmed Uchiha

Level 2
Feb 5, 2021
57
Hello,
I tested Kaspersky today against this script and saved it as .bat file but, Kaspersky didn't detect it and I checked it with KSN it says it is safe, uploaded to virus total no engine detected it after contacting Kaspersky and report the file they said it is safe nothing malicious in it so, is this file safe or malicious cause system watcher didn't detect it in my case could anyone confirm that? or is that only me.

here is the source code that I used:
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit

Thank you in advance.
 
Last edited by a moderator:

Venustus

Level 59
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
Hello,
I tested Kaspersky today against this script and saved it as .bat file but, Kaspersky didn't detect it and I checked it with KSN it says it is safe, uploaded to virus total no engine detected it after contacting Kaspersky and report the file they said it is safe nothing malicious in it so, is this file safe or malicious cause system watcher didn't detect it in my case could anyone confirm that? or is that only me.

here is the source code that I used:


Thank you in advance.
It's not malicious per se,just a harmless file to test your av

Norton Sonar does block it however
 

Ahmed Uchiha

Level 2
Feb 5, 2021
57
Hello, thank you for your reply I now know that it is not malicious it is should be a harmless test file similar to Eicar test file. I tested it now and nothing showed up from Kaspersky after contacting Kaspersky they said it is false detection and it has been fixed. if it is possible to restest the file now after the database update to check if they actually classified this file as a false positive cause on my end Kaspersky doesn't show any warning like in the screenshots above. thank you so much again for your help.
"https://malwaretips.com/data/attachments/255/255072-0efa25ba6c9b56869e39cab988613a13.jpg"
 

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,948
I did a re test, and I confirm is not detected anymore, in fact it was tagged as green in KSN:

1618397743502.png

It seems was blocked at 1st but probably after being analyzed its behavior now is flagged as not malicious...
 

Yanick

Level 1
Jun 14, 2021
24
Emsisoft Anti-Malware detection from the .bat. If ran the commands individually it didn't react.

Heh, last picture is actually the first alert and the first is the last one, messed the numbers bit =P
 

Attachments

  • 1.jpg
    1.jpg
    137.7 KB · Views: 282
  • 2.JPG
    2.JPG
    109.1 KB · Views: 284

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top