Right now, there is an abundance of web sites successfully serving malware to unsuspecting visitors. Is there a cure? Some researchers think so.
-------------------------------------------------------------------------------------BLADE (BLock All Drive-by download Exploits), the brainchild of researchers from College of Computing at Georgia Institute of Technology and SRI International, is positioned to help stem the tide of drive-by malware. A big deal according to Dasient.com, the company is tracking over 200 thousand different web-based malware threats.
What is drive-by malware?
I've written about this type of malware before. But, the team's research paper BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware infections (pdf) pointed out something I was not aware of:"The goal of the drive-by exploit is to take effective, temporary control of the client web browser for the purpose of forcing it to fetch, store, and then execute a binary application (e.g., .exe, .dll, .msi, .sys) without revealing to the human user that these actions have taken place."
The part about drive-by malware being a temporary conduit to get the desired malware loaded onto the computer was new to me. Let's look at how the researchers believe the process works.
It all starts when a hapless victim stumbles onto a compromised official web site or possibly a knock off of an official site that's serving drive-by malware. Next, the code injection process begins and consists of the following three phases:
- Shellcode injection phase: Code purposed to subvert the web browser is downloaded by exploiting a vulnerable component of the web browser.
- Shellcode execution phase: The downloaded code is then injected into the web browser process.
- Covert binary install phase: The web browser, now compromised, tries to retrieve malware from the attacker's web server. That code installs on the victim's computer and does all the damage we hear about.
The researchers also determined that drive-by malware somehow avoids the need for user permission to download and execute unsupported file type such as .exe, .dll, and .sys. With this information in hand, the research team developed BLADE.
BLADE's design criteria
BLADE a browser-independent operating system kernel extension designed to prevent unauthorized content execution. I interpret that to mean BLADE intercepts all downloaded content that has not been okayed by the user and prevents it from executing.
To accomplish that, the research team implemented the following in BLADE:
- Real-time user authorization capture and interpretation: The key to BLADE working properly, user-to-browser interaction is monitored to capture information pertaining to a user authorizing a download.
- Robust correlation between authorization and download content: BLADE must be able to distinguish between user-initiated web-browser downloads and unauthorized ones.
- Stringent enforcement of execution prevention: Unauthorized content must not be allowed to execute.
- Browser agnostic enforcement: BLADE must not rely on how a web browser should work. This is critical, because new web-browser technology is introduced all the time.
- Exploit and evasion independence: BLADE must also be independent of any exploit that attackers use to subvert the web browser.
- Efficient and usable system performance: Web-browser performance must not be compromised, nor any delays allowed. In fact, BLADE should not have a perceptible impact on any computer operation.
How BLADE operates
To spot unsolicited download attempts, BLADE places the following processes in kernel space,
- User-interaction tracking: BLADE uses a screen parser, hardware-event tracer, and a supervisor to track the user's physical interactions with the web browser, specifically when download authorization is asked for.
- Consent correlation: This process is required by BLADE to distinguish between transparent downloads and those requiring user permission.
- Disk I/O redirection: When BLADE locates un-authorized downloads, it redirects the code to a secure zone. The data is also prevented from loading into memory as an executable.
The following slide (courtesy of the research team) represents BLADE's system architecture.
The key ingredient that makes BLADE work is its ability to discern whether the download is authorized or not. How that's done is based on another fact that I did not know about web browsers.
What the research team has found is that web browsers use a well-defined process to implement download confirmations. That means an application like BLADE, looking specifically for download authorizations, would only need a few examples from the different web browser in order to recognize most download authorization attempts.
The following slide (courtesy of the research team) explains how BLADE checks for authorization:
For an in-depth analysis of each component, please refer to the research team's paper.
How effective is BLADE?
BLADE was tested using real-world circumstances as the following quote explains:
"Our testbed automatically harvests malware URLs from multiple whitehat sources on a daily basis and evaluates BLADE against potential drive-by URLs that were reported within the past 48 hours. To validate BLADE's browser and exploit independence, each URL is tested against multiple software configurations covering different browser versions and common plug-ins. System call and network traces are used to test for missed attacks (false negatives)."
The research team has a web page containing the results of their evaluation.Interestingly, their data seems to verify what other security experts have been saying about Adobe products:
According to the research paper, almost 19,000 trials have taken place, with zero false positives and zero false negatives. Meaning, BLADE prevented in-the-wild drive-by malware from installing in every case.Not a cure-all
BLADE is designed to block drive-by malware that tries to write to the hard drive. Right now, that works, as a majority of drive-by malware uses that approach. But, security experts are aware of certain threats that reside in memory only and BLADE will not recognize them.
Then there is malware that installs by leveraging social engineering. BLADE is of no help, as the user willingly agrees to the download.
Finally, developers have expressed concern that BLADE may break legitimate applications like Windows Update that download software in the background.Final thoughts
The research team's work points out once again how important it is to keep the operating system and all applications (specially Adobe products) up to date. With no vulnerabilities, drive-by malware cannot gain a foothold.
I did point out that BLADE will not solve every problem, but it has promise to be a good tool in our security arsenal. If you are interested, check back at the BLADE-Defender.org web site, as BLADE V1.0 (a free research prototype) will be available soon.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.