Prevent drive-by downloads?

Topic

New Reply

I fix computers for a living and have been inundated over the last 12 months with people calling with ‘Scareware’ infections caused by drive-by downloads. I’ve seen systems infected that have various anti-virus and anti-spyware products running so the standard defenses do not prevent these attacks. I’ve even had them come up on my own personal machine – but I know enough to just kill the browser process before the infection takes hold. Most of my customers however, click the buttons on the scareware windows which just allows the thing to take root.

Malwarebytes typically takes care of the removal but that costs my clients money for me to fix it (good for me I guess). I’ve been monitoring a solution being developed by the DOD along with Georgia Tech called “B.L.A.D.E.” ( http://www.blade-defender.org/ ) but the website has said for the last 6 months that a prototype will be available ‘soon’ and the site hasn’t been updated for a long time now.

So my question is: has anyone found an effective & practical solution to this problem? Based on the number of machines I see infected (2 to 3 a week) and I’m just a one guy shop – there must be thousands & thousands of these infections each day.

Bob.

Reply | Quote

Replies

Unfortunately Bob there is no way to protect against the biggest cause of these things, our own fingers clicking buttons without thinking of the consequences. You just can’t stop people doing what they have always done. And unfortunately there is no universal way to get the message out to these very same people to change their habbits. If we could get people to use task manager rather than X out to close unexpected pop ups, that would go a long way toward solving this epidemic.

Reply | Quote

If we could get people to use task manager rather than X out to close unexpected pop ups, that would go a long way toward solving this epidemic.

Ted, I have never heard this before. Is it really more effective than just closing the browser, or pulling out the mains plug, because it’s going to take a lot longer?

I ask so as to be prepared should the situation arise.

Reply | Quote

Hi Bob,

I agree whole heartedly with Ted. Most drive-by downloads are caused by people clicking on unknown items on a website. Nowadays on soooo many websites you will see an advertisement for a free scan of your computer to check for malware or virus. After my first experience doing just that (about 6 years ago) and getting an infection on my system I learned to never again click on these advertisements. I have not experienced a drive-by download on my computer since then. Most people I think are always watching out for possibly getting a new malware/virus protection program which might be an improvement over what they are currently using, so these advertisements are very tempting. THERE IS NO PROGRAM AVAILABLE THAT WILL STOP PEOPLE FROM NOT USING COMMON SENSE!

73s
Murray

Reply | Quote

Hi Bob, you could start a side-line to your shop, teaching customers how to read. Almost all program makers have ‘User Guides’ and in the language of your location, but goes unread, then they ask in forums for help from people who can and do read them.
Unfortunately most PC users i.e. install an anti virus program to prevent viruses and think there safe ( from the majority of attacks ) without knowing what other features is included in the AV program.

Reply | Quote

I agree with everyone else. Most of these are not much more than an anoyance that are easy to avoid by paying close attention.

Reply | Quote

I tell everyone that ends up with one of these what to do next time (don’t press anything – just turn off your computer) and I still I ended up fixing two just today (one a repeat). My bread & butter is doing work for people who really don’t know that much – they just want to check their email, maybe shop at Amazon and do things like research bible study topics (yeah I had one customer end up with a driveby doing that). I cringe when I see the line of people dragging in their computers to the Best Buy Geek Squad knowing that they are going to be out $200 because of the criminals dreaming up this crap trying to con people out of $65 (I usually fix it for $45). I know that it isn’t hard for those of us that live & breath this stuff to deal with these drive-bys – but lets face it most of the computer users out there are like your (or my) mom & dad and are really just clueless about this stuff. I was just hoping someone else had figured out a way to stop this crap.

Reply | Quote

I find setting up my users’ routers to use opendns.orgsolves lots of these problems. The OpenDNS server automatically stops phishing and other attemps. As a bonus, some benchmarks mark it as a very fast DNS server; often faster than your ISP. Oh, and if you want to filter out other kinds of nastys, you can do that too.

Reply | Quote

I would like to add to peterl’s note about OpenDNS to also install the latest HOSTS file from http://www.mvps.org/winhelp2002/hosts.htm

I’ve used that for years on multiple XP systems and did not experience a slow down, and rarely have to kill a browser due to a malicious pop-up. YMMV

Reply | Quote

I find setting up my users’ routers to use opendns.orgsolves lots of these problems. The OpenDNS server automatically stops phishing and other attemps. As a bonus, some benchmarks mark it as a very fast DNS server; often faster than your ISP. Oh, and if you want to filter out other kinds of nastys, you can do that too.

Did you include the OpenDNS Updater ?

I would like to add to peterl’s note about OpenDNS to also install the latest HOSTS file from http://www.mvps.org/winhelp2002/hosts.htm

I’ve used that for years on multiple XP systems and did not experience a slow down, and rarely have to kill a browser due to a malicious pop-up.

I tried using the Hosts File you stated on my Netbook and the ‘Boot’ time trebled.

Reply | Quote

Did you include the OpenDNS Updater ?

I didn’t because I have a static IP address, so don’t need it. If you don’t know whether you have a static IP address, check with your ISP.

I tried using the Hosts File you stated on my Netbook and the ‘Boot’ time trebled.

I haven’t tried this.

Reply | Quote

Just so I understand, you are wondering if there is a program that makes this idiot proof? Something that takes work away from your one man shop? Something that effects your wallet?

As Ron White says, “You can’t fix stupid”

Reply | Quote

I didn’t because I have a static IP address, so don’t need it. If you don’t know whether you have a static IP address, check with your ISP.
My IP Adress is Dynamic

I haven’t tried this.

If you do try it, read the instructions very carefully.

Reply | Quote

I didn’t because I have a static IP address, so don’t need it. If you don’t know whether you have a static IP address, check with your ISP.

My IP adress is Dynamic

I haven’t tried this.

If you try it, read the instructions carefully.

Hope your luckier than I was.

Reply | Quote

Most home users, regardless of which version of Windows they are using, have a single account on the machine. Of course, this account has full admin rights. Set up your customer’s machines to have at least two accounts: one standard or unprivileged user with no admin rights, and one admin account. Have them use the standard account for all their day-to-day work. They can use the admin account once a month to install updates to Windows (and Firefox and whatever) or when they really do want to install software. This will prevent some drive-by infections and limit some others to only the standard account.

Of course, when the UAC box pops up asking for the admin account password your customers may still just type it in instinctively. Or they may take the hint, or maybe they will be too lazy to type it in. It is pretty safe to tell them never to type the admin password into the UAC box, only use it when logging on as the admin user for monthly updates.

One downside is that they will need to log into their “normal” account every time they boot, but their password can be just one letter (for both the standard and the admin accounts) and they will still be ahead.

Reply | Quote

Most home users, regardless of which version of Windows they are using, have a single account on the machine. Of course, this account has full admin rights. Set up your customer’s machines to have at least two accounts: one standard or unprivileged user with no admin rights, and one admin account. Have them use the standard account for all their day-to-day work. They can use the admin account once a month to install updates to Windows (and Firefox and whatever) or when they really do want to install software. This will prevent some drive-by infections and limit some others to only the standard account.

Note: that starting with Vista a user account that is a member of the adminstrators group does NOT have the same full admin rights as the builtin Administrator account. This is a big change from older Windows OSes.

Joe

--Joe

Reply | Quote

It seems to me the term “drive-by download” is a bit redundant these days. Sure, back in the day IE6 (or was it even earlier?) could be configured to gleefully install any ActiveX control it came across, but unless it’s exploiting some unintentional security flaw, I understood that can’t happen anymore without direct user intervention.

Anyway, I run Firefox with Adblock and Flashblock these days, so it’s all becoming a distant memory. (I feel bad sometimes about depriving sites of ad revenue, but I’d had just about enough of acai berry scams.)

Reply | Quote

I don’t suppose you could migrate some of your clients to Linux, could you?

Reply | Quote

I would like to endorse kehander’s comment and suggest adding the NoScript extension to his list. I have not seen a pop up/scripting problem for three/four years.

With NoScript you need to positively allow a web site. Many sites notify you that scripting is required. You then decide if you want to allow it.

Brian

Reply | Quote

(1) Use Google Chrome or Firefox and let them self-update.

(2) Use Secunia PSI-2 and let it auto-update everything it can update. Manually update everything else on your computer at least once a month. Let MS Updates either auto-update, or at least notify you when there are updates available.

(3) For Windows XP, use a HIPS Firewall. I like Comodo, since it has an optional Comodo DNS service. This does the same thing as OpenDNS, but requires Zero user intervention or setup. Comodo is free. Skip their AV or Internet Security, as Avast is better at this task. Under Windows 7, Microsoft Security Essentials is perfectly adequate. No third-party firewall is needed under Windows 7.

(Yes, I am aware that Comodo DNS just got a bad report about handing out Security Certificates to some bad guys from Iran. This does not affect their DNS services in other countries than Iran, at last report. Concerned folks can stick with OpenDNS.)

(4) In Firefox, use NoScript and Abine’s TACO-3 extensions. Both work under Firefox 4.0. Do not allow scripts except at familiar sites, and even there, only allow the bare minimum to see what you want to see. Ghostery also often will let you know if something is not right at a site. I found AdBlock Plus a bit too intrusive, but it does the job.

(5) When Comodo puts up an alert, do not automatically Allow. Get more info through the popup balloon and any links it provides.

(6) Consider Web of Trust or a similar reputation service.

(7) Use Windows 7 and avoid Internet Explorer, even IE9. No Active-X in other browsers.

(8) Many routers offer security measures, including port limitations, stealthing, and not broadcasting your IP Address. Some can even do Packet Filtering.

While none of these measures replaces Common Sense, taken together, these steps will prevent most web sites and ads from doing the most likely types of drive-by attacks. At least you will be better protected than the folks down the street. Criminals go after the softest targets, and sometimes the very hardest targets. (They like a challenge.)

And do Deep File Scans with your AV and Antispyware products at least every couple of weeks. It takes a long time, but you may be surprised what shows up. I often am surprised, and I am no Newbie!

-- rc primak

Reply | Quote

Closing the browser may not close the pop up. Pulling the plug can cause many other problems, especially with other running apps or the browser itself. You can corrupt all sorts of things by doing this. I do not recall the exact method to open Task Manager in other OS’s but in Win 7 there are several ways, type Task Manager in the search bar and press enter. Or simple typr Ctrl+Alt+Delete at the same time then choose Task Manager. Once Task Manager opens, highlight the app and choose End Task. This will effectively end the pop up without the need to click on it or take those other drastic measures.

27662-TaskManager

Reply | Quote