#6 it says that the exploit kit is downloaded and executed, if it is downloaded wouldn’t for example chrome browser show the file downloading in the download bar? also how can it execute by it’s self?
You most certainly can be infected by just visiting a site, if you have vulnerable plugins or a vulnerable browser. A world where infection would only be possible if you ran a downloaded exe file would be far easier to keep a computer secure in, but in the real world some types of virus can load themselves onto your machine without the need for any deliberate actions (like opening a file) by the user. Duch attacks are called “drive-bys” or “exploits” and commonly target java, flash and silverlight plugins as well as adobe reader and the browser internet explorer, exploits also exist which can attack media player software and all the other common browsers (chrome, firefox and all the rest). Fortunately there are some ways to make it much harder for drive-by attacks to infect you, careful browsing could be considered the first but in this era of malvertising content being loaded in the corners on reputable site careful browsing is not enough.
The various means to defend yourself are listed and explained below, do as many as you can for the best protection.
Always make sure your browser is up to date, and the plugins within your browser as well. Updates to browsers and plugins patch vulnerabilities so an old un-updated browser will be vulnerable to most exploits in use while an up-to-date browser will noyl be vulnerable to recently developed exploits. IE is the most vulnerable, firefox and chrome are both far more secure but neither is perfect.
Deactivate all your plugins or set them as “click to play”, loads more exploits exist which attack flash, java and silverlight as compared to the lower (but still terrifyingly large) number of exploits which target the browsers themselves. If you disbale plugins you don’t use, and those which you sometimes use you set as “click to play” or ” ask to activate”, then exploits which attack plugins are less of a danger to you. Firefox makes it easy to disable plugns or set them as “ask to activate”, chrome also makes it fairy easy, these days it is set up to do this by going to “sandwich button”–>settings–>show advanced settings–>content settings–>let me choose when to run plugin content. I don’t know if IE lets you disable plugins like this or set them only to run when you approve them.
Run an adblocker, this won’t protect you from drive-bys and exploits actually built into the page you are visiting, but it will block adverts from third party sites which could be used to deliver malvertising.
Run a scriptblocker, this will protect you from exploits on the page you are visiting, and from exploits on other domains which are trying (but which the script blocker will stop) from loading content onto the page you are on. A scriptblocker also blocks adverts as a side-effect although you might want to run an adblocker as well alongside it. Noscript is script blocker for firefox, I have been using it for a while now, I haven’t suffered any infections since I installed it as an add-on. I haven’t seen any pop-ups either. A scriptblocker like noscript should make drive-bys impossible when you have it turned on, but sometimes you will need to allow some things through it for some things (videos mostly) on pages to work, if you only allow things from very trustworthy domains then it will keep you very extremely safe. A scriptblocker prevents exploits before they can begin it’s an “anything the user doesn’t allow deliberately is by default forbidden” type of security solution.
Run some sort of specialised anti-exploit protection, malwarebytes anti exploit does this, it is a free program which blocks common exploit methods. This means that it can protect against unknown viruses because it blocks anything that looks like an exploit without needing to worry about precisely what the payload is. This sort of program acts as a layer “behind” your browser whereas things like noscript and adblockers act as layers “infront” of your browser. MBAE works well in combination with noscript and firefox.
Keep your antivirus running as it is, run a realtime protection antimalware alongside it if you can. An antivirus and antimalware act as another layer behind any specialised anti-exploit protection you have.
For futher protection you can also run witelisting software which prevents any exe file which you have not previously approved from being able to execute.
The key thing with protecting yourself from exploits is to use “anything not allowed by the user is forbidden” types of security as well as the standard method an antivirus uses “anything not matching this database of known nasties is allowed”. Things like noscript and mabe, as well as whitelisting programs, use this first method and therefore don’t need to recognise every virus, they just stop anything which the user doesn’t choose to allow. A brand new virus would not be recognised by antivirus and antimalware programs but it wouldn’t be able to infect a noscript user unless they allowed the object or script delivering it to run, and it wouldn’t be able to infect an mbae user unless it was using some uterly new and unrecognised exploit method. If you follow all the suggestions mentioend here being exploited should be impossible, note that you still need your antivirus running as well because mbae and noscript won’t protect you from files you do deliberatly open and run.
Regarding post #7: malware exploit files are small files, only a few kilobytes, if you have download speeds of 0.5 Mb per second they would download so fast that there wouldn’t even be time to show a “downloading” bar, also exploits do not download in the same way as normal file downloads, they take other routes so wouldn’t be counted by the browser as downloads and put into any download history it keeps. The self-execution of exploit files happens because of the exploit methods, these basically let them bypass normal downloading and opening entirely, they download themselves and immediately run themselves.
Edited by rp88, 07 June 2015 – 01:01 PM.
Even legitimate web sites and the ads they display can be a source of infection…exploit kits and drive-by downloads.
- Mainstream Websites More Likely to Harbor Malware
- Easier to Get Infected With Malware on ‘Good Sites’ Than on Shady Sites
- One in 10 web pages laced with malware
- One webpage gets infected by virus every 5 seconds
- Every 3.6 seconds a website is infected
- Cryptolocker Being Spread On YouTube Ads
- Cisco Annual Security Report: Threats Step Out of the Shadows
Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. Hackers are also known to exploit Flash vulnerabilities which can lead to malware infection. When visiting a website that hosts an HTML page which requires a Flash script, users may encounter a malicious Flash redirector or malicious script specifically written to exploit a vulnerability in the Flash Interpreter which causes it to execute automatically in order to infect a computer.
If you have not done so already, you may want to read: How Malware Spreads – How your system gets infected
Brad Duncan’s website provides great technical detail of the step-by-step machinery that goes on behind the scenes during an exploit kit attack, as does Kafeine’s blog. See examples of the Angler EK pushing the Bedep Trojan below:
http://www.malware-traffic-analysis.net/2015/06/05/index.html
http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html
I just ran into the infection outlined by Brad in the first link. Stepping through his post, you can see that just by visiting a site that points to “flash[.]casapiti[.]com[.]ar”, or by visiting that site directly, you will be redirected to a page (haitallistakinaglaozonia[.]renteriaonline[.]com) that hosts some files that are designed to exploit vulnerabilities in your browser (those are the 3 items in the “ANGLER EK” section, the GET requests.) The browser executes those files, because that is what it is supposed to do. The files themselves exploit vulnerabilities in the browser, which then allows the attacker to do what it is they want to do. In the cases covered by Brad and Kafeine and encountered by myself, the Bedep Trojan is pushed onto the machine. Yes, anti-virus can intervene at this point, once Bedep is dropped onto the machine, but that goes with usual caveats (definitions need to be updated, attacker can bypass protections by using polymorphic copies of the malware, malware can be packed, etc.) You should instead be relying on anti-exploit technologies to prevent the exploit in the first place. Again, these can be bypassed, but I have had very, very good experiences with Malwarebytes Anti-Exploit. The important thing to note here is that the only action that the user carried out was browsing to a website. The browser and the EK took care of everything else.
EKs are just files full of code that are executed by the browser. When the browser encounters a .SWF file, for example, the Flash Player plugin runs the file. If the version of Flash Player running the .SWF file is a vulnerable version, and if the .SWF file is built to exploit a vulnerability in that version of Flash, the exploit will occur unless something is able to intervene, such as Malwarebytes Anti-Exploit. This is the reason you hear so many people cry for you to patch your software religiously, to disable plug-ins you don’t need, and/or to run extensions/add-ons like NoScript so you can allow scripting on a file-by-file basis. No solution is one-size-fits-all, of course.