The online version of Technology Review today carries a story I wrote about a government funded research group that is preparing to release a new free tool designed to block “drive-by downloads,” attacks in which the mere act of visiting a hacked or malicious Web site results in the installation of an unwanted program, usually without the visitor’s consent or knowledge.
The story delves into greater detail about the as yet unreleased software, called “BLADE,” (short for Block All Drive-By Download Exploits). That piece, which explores some of the unique approaches and limitations of this tool, is available at this link here.
As I note in the story, nearly all of the sites that foist these drive-by attacks have been retrofitted with what are known as “exploit packs,” or software kits designed to probe the visitor’s browser for known security vulnerabilities. Last month, I shared with readers a peek inside the Web administration panel for the Eleonore exploit pack — one of the most popular at the moment.
The BLADE research group has been running their virtual test machines through sites infected with Eleonore and a variety of other exploit packs, and their findings reinforce the point I was trying to make with that blog post: That attackers increasingly care less about the browser you’re using; rather, their attacks tend to focus on the outdated plugins you may have installed.
That attackers increasingly care less about the browser you’re using; rather, their attacks tend to focus on the outdated plugins you may have installed.
But Blade still has compatibility problems with other software, according to RSnake: http://www.technologyreview.com/computing/24632/?a=f
How useful is a tool like this? Security Researcher Robert ‘RSnake’ Hansen goes on “This might work perfectly in a VM Laboratory situation, but it is quite something different to try it out on a user machine environment”, says Hansen. According to his opinion it could well be BLADE ruins the functionality of legit applications. And also Sunbelt Software’s Eric Howes warns for the danger of quite a number of FPs, in the case of a background application is trying to perform an update to just give an example of an incompatibility.
Then BLADE does not protect against social engineering attacks, where the user is being tempted to install malware, and threats that hide within memory. The tool has been designed that it blocks only while the malware writes to the user’s HD. Most malware does this, but also threats are known that work only from within memory. Well the tool may be functional, according to Hansen. “These kind of tools are fine as an additional layer of defense, but it cannot be a cure-for-all-malcode.” When the software will be out is not known yet,
