Software aims to whack drive-by malware threat

Researchers show off BLADE tool aimed at Internet Explorer and Firefox exploits

The nasty security attacks by drive-by malware are a growing threat to anyone who surfs across the Internet. For example, the Websense Security Lab recently said the number of Web sites with malicious software grew 225% in the last six months of 2009 alone and that most Web sites with malicious code are legitimate sites that have been hacked.

Researchers today will detail a software package known as Block All Drive-By Download Exploits (BLADE) that has as its main mission in life to eliminate the drive- malware threat.

What's up with encryption?

Developed by Georgia Institute of Technology and SRI International researchers, BLADE "thwarts the ability of browser-based exploits to surreptitiously download and execute malicious content by remapping to the filesystem only those browser downloads to which a programmatically inferred user-consent is correlated, BLADE provides its protection without explicit knowledge of any exploits and is thus resilient against code obfuscation and zero-day threats that directly contribute to the pervasiveness of today's drive-by malware, " the researchers state in a paper on BLADE that will be presented at the Association for Computing Machinery's Conference on Computer and Communications Security today.

Researchers said they evaluated BLADE on multiple versions and configurations of Internet Explorer and Firefox. BLADE successfully blocked all drive-by malware installation attempts from the more than 1,900 malicious websites tested. The software produced no false positives and required minimal resources from the computer. Major antivirus software programs caught less than 30% of the more than 7,000 drive-by download attempts from the same websites, the researchers stated.

Furthermore, over the past six months we have tested BLADE against the newest 0-day drive-by exploit attacks within days of their release, and none have circumvented BLADE, the researchers claimed

"BLADE monitors and analyzes everything that is downloaded to a user's hard drive to cross-check whether the user authorized the computer to open, run or store the file on the hard drive. If the answer is no to these questions, BLADE stops the program from installing or running and removes it from the hard drive," the researchers stated.

From the BLADE research paper:  A distinguishing aspect of the BLADE design is that it is both attack and browser agnostic in that it neither requires exploit signatures nor changes to the browsers. Rather, BLADE relies on limited semantic knowledge about a handful of user interface elements common across web browser applications. While our implementation is focused on browser protection, the approach could be generalized to other network-capable applications such as  email clients, instant messengers, media players) that are subject to drive-by exploits.

Researchers found the applications most frequently targeted by drive-by download exploits included Adobe Reader, Sun Java and Adobe Flash -- with Adobe Reader attracting almost three times as many attempts as the other programs. Computers using Microsoft's Internet Explorer 6 became infected by more drive-by-downloads than those using versions 7 or 8, while Firefox 3 had a lower browser infection rate than all versions of Internet Explorer. Among the more than 1,900 active malicious websites tested, the Ukraine, United Kingdom and United States were the top three countries serving active drive-by download exploits.

The researcher noted that while BLADE is successful in thwarting drive-by download attempts, it will not prevent social engineering attacks.

In its next phase, the group said it will provide a free Internet release of BLADE for public use, which will extend our ability to harvest new malicious URLs and binaries and will help us further explore BLADE's compatibility across a larger range of computing environments and configurations," the group stated.

Follow Michael Cooney on Twitter: nwwlayer8   

Layer 8 Extra

Check out these other hot stories:

White House set to nail up solar panels

Research project aims to simplify large-scale network control

FBI Zeus Trojan crime ring wanted poster

FTC slams shut telephone cramming scam

Too little too late? China's "rare earth" threat prompts US action

Astronomers discover planet that could support life

Worlds collide: Apple iPhone app manages mainframe

MIT researchers tout network intrusion recovery system

NASA takes 2,000lb heart of space telescope on extreme test ride

Smart "E-shirt" monitors your body,  helps get your game on

FTC settles privacy violation claims with online data broker

Martian meteorite grabs NASA Mars rover's attention

Air Force teams to build radiation-proof chips for outer space systems

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.