"The Art of War is simple enough. Find out where your enemy is. Get at him as soon as you can. Strike him as hard as you can. Keep moving on"
- Ulysses S. Grant
Friday, November 5, 2010
Defeating Drive-by Downloads in Windows
The Problem
Drive-by Downloads have been a problem for a number of years now. This avenue of attack has become more popular as attackers have developed more techniques to direct visitors to their exploit websites. The three most common scenarios are: Search Engine poisoning, malicious forum posts, and malicious flash ads. These are complex, multi-step attacks that build upon each other to eventually install some sort of malware on the victim's machine. I call this series of steps the "Chain of Compromise" (I've also heard this described as the kill-chain.) It's our job as the defense to break that chain as early as possible. If we allow it to complete, then we have a real incident on our hands.
Countermeasures
There are a number of system countermeasures that you could use to defeat drive-by attacks. I've got an incomplete list below comparing their average cost to install, both monetarily and a vague measure of the amount of technical effort required.
Countermeasure
Cost
Tinker-Factor
Anti-Virus
Free to $80 USD
Low
Web-filter
Free to Thounsands
Medium to High
Alternative Browser
Free
Low to Medium
No-script
Free
Medium
Adblocker
Free
Low
Flashblock
Free
Low
OpenDNS
Free
Medium
Alternative Document Viewer
Free
Low to Medium
Executable Whitelist
Free to Hundreds
High
Full-proxied Environment
Hundreds to Thousands
Medium to High
IPS
Free to Thousands
Medium to High
Disable Administrator rights
Free
Low to Medium
Masqurade User-Agent
Free
Low
DEP/ASLR
Free
Low to Medium
Anti-Virus: not much to say about this, everyone has it now, and it's the countermeasure that gets the most attention by attackers. It's easily evaded with minimal effort.
Web-filter: this could be on the system itself, or injected through a web proxy. Free options include K9
Alternative Browser: something other than IE or Firefox. By moving to a less-popular browser you stepping out of the line of fire in most cases. At least is reduces your attack surface to your office/document viewers (e.g. Flash, Acrobat, etc.)
No-script: allows you to block execution of javascript on new/unknown sites.
Adblocker: typically used to avoid annoying advertisements, a bit controvertial since websites are supported by their ad revenue, but more often becoming a necessity due to poor quality-control/security-measures by ad-servers.
Flashblock: like no-script, but for flash. Allows you to run flash when you need it, and block it from unknown/unexpected sources.
OpenDNS: if you use OpenDNS for your domain name resolution, it can block requests to suspicious/malicious destinations.
Alternative Document Viewer: use an alternative PDF viewer to avoid a number of Adobe Acrobat vulnerabilities and avoid executing unnecessary code. You'll likely lose the ability to use interactive PDF forms, but you could always keep a copy of Acrobat Reader handy for the few times you need it.
Executable Whitelist: this is ideal defense against unknown code executing on your system. It's also extremely difficult to maintain over time.
Full-proxied Environment: don't let your systems have direct access to the Internet. Proxy all out-bound requests. This is extremely effective against most backdoors and infected systems reaching out to command and control servers via something other than HTTP/HTTPS (those ofen hijack the browser for this purpose and thus inherit the proxy settings.)
IPS: Either a host-based or network-based IPS system capable of blocking known exploits.
Disable Administrator Rights: is the victim account is not running as administrator some of the follow-on damage from a compromise can be limited. However, this does not prevent the compromise in most cases.
Masquerade User-Agent: some browsers and some add-ins allow you to alter the user-agent and other identifying information to thwart targeted attacks.
DEP/ASLR: Data Execution Prevention or Address Space Layout Randomization helps protect Internet Explorer from certain classes of exploits at the cost of some functionality.
Now we'll see how these countermeasures stack up against the attackers in a few scenarios.
Scenario 1: Search Engine Poisoning
In our first scenario, the attackers have set up a network of compromised websites that redirect the visitor to one of their exploit servers. The exploit server has some javascript on it that effectively scans the potential victim for the versions of the browser, java, flash, and PDF client. Based on the results of the scan and the geo-location of the victim's IP address the exploit server launches a targeted attack against any vulnerable browser, java, flash or PDF client on the system. If this attack is successful, the victims machine will download a payload from their payload server. This is exploit-as-a-service, where this criminal group offers the delivery of another criminal group's payload to a certain number of IP addresses in a certain geographical region. This is how they make their money: they build an maintain the infrastructure of redirect servers, exploit servers, and download servers, this infrastructure is then rented out to other groups. In addition to building the infrastructure, they also spend a lot of time promoting their redirect sites in common search engines.
So, in our scenario, our victim goes to their favorite search engine looking for "holiday cookie recipes" and in their search results are a number of links that lead to one of our attacker's redirect sites. Let's say the victim queues up a number of requests in their browser tabs.
The browser will open up a connection to one of the redirect sites, it will have a meta-refresh, or iframe, or return a 302 to direct the user to the exploit site.
The exploit-site delivers a set of javascript routines to the browser.
These routines identify version information for: the browser, java, flash and PDF reader.
The exploit server returns the exploit that is most likely to succeed.
The victim's application is exploited and commanded to pull down and execute the downloader code (either from the exploit site itself, or the downloader site)
The downloader code is executed on the system, this downloads additional payload and executes this on the victim's system.
Victim's system now needs to be re-imaged.
Use this table below to map out which countermeasures are effective at which stage in the attack. Keep in mind that the earlier you break the chain, the better it is for your environment. Compare this to the costs above and see if you can identify the best defense strategy for this scenario.
Key: "-" denotes no impact, Potential means that under the best conditions the countermeasure is effective, Likely means it's effective more often, and Complete is near-certain that it works.
Redirect Site
Exploit Site
Java-script Recon
Browser Exploit
Flash Exploit
PDF Exploit
Download Site
Downloader code
Secondary Payload
Command and Control Established
Anti-Virus
-
-
-
-
-
-
-
Potential
Potential
-
Web-filter
Potential
Potential
-
-
-
-
Potential
-
-
Potential
Alternative Browser
-
-
-
Likely
-
-
-
-
-
-
No-script
-
-
Complete
-
-
-
-
-
-
-
Adblocker
-
-
-
-
-
-
-
-
-
-
Flashblock
-
-
-
-
Complete
-
-
-
-
-
OpenDNS
Potential
Potential
-
-
-
-
Potential
-
-
Potential
Alternative Document Viewer
-
-
-
-
-
Potential
-
-
-
-
Executable Whitelist
-
-
-
-
-
-
-
Complete
Complete
-
Full-proxied Environment
-
-
-
-
-
-
-
-
-
Likely
IPS
-
-
Possible
Likely
Possible
Possible
-
Possible
Possible
Possible
Disable Administrator rights
-
-
-
-
-
-
-
-
-
-
Masquerade User-Agent
-
-
-
Possible
-
-
-
-
-
-
DEP/ASLR
-
-
-
Possible
-
-
-
-
-
-
Scenario 2: Malicious Forum Post
In our second scenario, our same attacker group is hosting an exploit infrastructure and getting paid to install malicious payloads. Instead of using search engine poisoning and redirect sites, they are exploiting vulnerabilities in common forum software to inject iframes into forum posts. Here our victim is reading up on solutions to a pesky automobile problem, and is search internet forums for advice. They happen upon a thread that one of the attackers has placed a malicious comment. This kicks off the series of events very similar to Scenario 1.
Forum iframe
Exploit Site
Java-script Recon
Browser Exploit
Flash Exploit
PDF Exploit
Download Site
Downloader code
Secondary Payload
Command and Control Established
Anti-Virus
-
-
-
-
-
-
-
Potential
Potential
-
Web-filter
-
Potential
-
-
-
-
Potential
-
-
Potential
Alternative Browser
-
-
-
Likely
-
-
-
-
-
-
No-script
-
-
Complete
-
-
-
-
-
-
-
Adblocker
-
-
-
-
-
-
-
-
-
-
Flashblock
-
-
-
-
Complete
-
-
-
-
-
OpenDNS
--
Potential
--
-
-
-
Potential
-
-
Potential
Alternative Document Viewer
-
-
-
-
-
Potential
-
-
-
-
Executable Whitelist
-
-
-
-
-
-
-
Complete
Complete
-
Full-proxied Environment
-
-
-
-
-
-
-
-
-
Likely
IPS
-
-
Possible
Likely
Possible
Possible
-
Possible
Possible
Possible
Disable Administrator rights
-
-
-
-
-
-
-
-
-
-
Masquerade User-Agent
-
-
-
Possible
-
-
-
-
-
-
DEP/ASLR
-
-
-
Possible
-
-
-
-
-
-
There's really not much different in this table, so an effective strategy targeting malicious search engine results is similarly effective against malicious forum posts
Scenario 3: Malicious Flash Ad
Much like the above two scenarios, but this one differs in how the victim reaches the exploit. In this case, during their lunch hour they browse over to their favorite news website. It's in your company's web-proxy whitelist because it's a "trusted site." Unfortunately, that website's advertisement broker didn't detect the redirect code hidden in the flash ad, so now your victim, who didn't click on the advertisement, is silently redirected to the exploit site.
Visit Exploited News Site
View Malicious Ad
Exploit Site
Java-script Recon
Browser Exploit
Flash Exploit
PDF Exploit
Download Site
Downloader code
Secondary Payload
Command and Control Established
Anti-Virus
-
-
-
-
-
-
-
-
Potential
Potential
-
Web-filter
-
Potential
Potential
-
-
-
-
Potential
-
-
Potential
Alternative Browser
-
-
-
-
Likely
-
-
-
-
-
-
No-script
-
-
-
Complete
-
-
-
-
-
-
-
Adblocker
-
Likely
-
-
-
-
-
-
-
-
-
Flashblock
-
Complete
-
-
-
Complete
-
-
-
-
-
OpenDNS
-
Potential
Potential
-
-
-
-
Potential
-
-
Potential
Alternative Document Viewer
-
-
-
-
-
-
Potential
-
-
-
-
Executable Whitelist
-
-
-
-
-
-
-
-
Complete
Complete
-
Full-proxied Environment
-
-
-
-
-
-
-
-
-
-
Likely
IPS
-
-
-
Possible
Likely
Possible
Possible
-
Possible
Possible
Possible
Disable Administrator rights
-
-
-
-
-
-
-
-
-
-
-
Masquerade User-Agent
-
-
-
-
Possible
-
-
-
-
-
-
DEP/ASLR
-
-
-
-
Possible
-
-
-
-
-
-
Example Strategies
My home computer was compromised about a week ago by a FakeAV program. I was running an up-to-date patched version of Windows 7 running Internet Explorer and anti-virus. So, basically I really didn't stand a chance. The default strategy of: move to firefox, install no-script etc...wasn't a viable option at the time. My option was to focus more on OpenDNS and K9 to help from getting redirected to known malicious websites to begin with. Yes, that machine is likely to get popped again but it's a bit less likely.
If you look at the tables above, you'll note that the average user running Internet Explorer, Shockwave, and Acrobat Reader relying only on Anti-virus doesn't stand much of a chance. On the other end of the spectrum, an environment that relies only upon Executable Whitelist will certainly break the compromise chain, but very late within the event and at a likely-large cost of effort. When giving advice on which browser to use, I often recommend, firefox since it can support addons like adblock, flashblock, and no-script. When we make such recommendations it never fails that someone will complain how their environment and circumstances are different. This is the primary motivator behind the capabilities-matrix approach. You can evaluate what countermeasures are appropriate/affordable/possible in your situation and perhaps help determine if the payoff of a countermeasure is worth the investment.
No comments:
Post a Comment