Defending against drive-by downloads

View a web page, get infected with malware.

Websense Security Labs recently reported that eWeek.com, the website of the computer magazine, was hosting malicious ads (which have since been removed). The ads didn't originate at eWeek.com, their true source was the DoubleClick ad network, but that's of little comfort to viewers of the website. The ads re-directed users to a malicious website that started to automatically install software. A drive-by download.

There are a ton of ways to defend against this.

Under Windows XP, I'm a big fan of defending against drive-by downloads by running Firefox in restricted mode. Even when logged on to Windows as an administrative class user, any application can be forced to run in restricted mode using DropMyRights. I blogged extensively about DropMyRights back in August 2007. Steve Gibson raved about DropMyRights in the December 25, 2008 edition of his Security Now podcast. DropMyRights isn't perfect, but you are safer with it than without it.

A better solution is Sandboxie, one of a number of application virtualization products. The most popular virtualization products to date virtualize an entire operating system. In contrast, application virtualization products are less ambitious, they focus on a single application. Sandboxie can virtualize any Windows process, but it was originally developed to virtualize Internet Explorer, to protect against assorted browser-based exploits.

If used correctly, Sandboxie can offer great protection from drive-by downloads, all but ironclad protection. 

For starters, it can roll back all system changes made by an application running in a virtualized sandbox. On top of this, it can restrict which applications are allowed to run in the sandbox and/or restrict Internet access by programs running in the sandbox. For example, you can define a sandbox that can only run Firefox. Period. If any other programs try to run in the sandbox, Sandboxie stops them cold. What more could you ask for?  

The downside to Sandboxie is the time and effort required to get up to speed on application virtualization, both in terms of the concepts and actually using the software. It's not a set it and forget it thing. If however, you make the effort to familiarize yourself with Sandboxie, you will be well rewarded.

There is a free and a commercial version of Sandboxie. The free version is missing only a handful of features. One restriction in the free version is that you can only have one sandbox running at a time. Sandboxie runs under Windows 2000, XP, 2003 and 32 bit versions of Vista. 

I hope to blog much more about Sandboxie. It's great.

MALWARE FROM MANY SOURCES

eWeek is not the first well meaning website to offer up malicious ads, and it won't be the last. But you can also invite malware into your machine.

Back in November, Randy Abrams, Director of Technical Education for ESET (the company behind NOD32), wrote that CNET's download.com was "hosting two notorious spyware/adware programs" despite the assurance that they had been “Tested Spyware Free” (Watch Out For “Good” Download Sites). He wrote that CNET removed the malicious software in "a very timely manner" when notified about it, and suggested some organizations, such as ICSA and West Coast Labs, that evaluate anti-malware software.  

Never heard of these organizations? Get your software reviews from PC magazine? From ZDNET? Like CNET, they too are obviously reputable organizations. But, you can't trust everything you read at their websites - because you may not be at their websites. New malware zaps Windows machines so that you're not at the website you think you are. More on that soon.

Updated March 1, 2009.  Added explanation of application virtualization.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies