 |
The "No Network is 100% Secure" series
- Drive-by web site exploits -
A free, safe test
|
|
All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants
Contact Us
There is absolutely NO malware on this page!: Do not be alarmed by the various
demonstration messages and alerts on this page. And while there is absolutely no
malware on this page, always be aware that allowing ANY plug-in is a risky proposition
these days. Our advice is to always "just say NO!"
What is a drive by exploit?:
A drive-by is an action that is automatically performed on your computer without your
consent or even your knowledge. Unlike a pop-up, which asks for assent (albeit
in a calculated manner likely to lead to a "yes"), a drive-by can be initiated by
simply visiting a Web site or viewing an HTML e-mail message. If your computer's
security settings are lax, it may be possible for drive-by exploits to be performed
without any action on your part.
In addition to downloading malware, drive by sites will commonly probe a visiting
computer to see if it has any one of dozens of known vulnerabilities. These include
vulnerabilities for which there is currently no patch to correct. It is estimated
that any given computer will have an average of eight vulnerabilities... any one of
which could cause a visiting computer to be compromised. It is important to note
that a large percentage of drive by sites are legitimate web sites that have themselves
been compromised, typically via an SQL injection exploit.
Drive-by infections are a major security issue. In April 2007, researchers at Google
discovered hundreds of thousands of Web pages that initiated drive-by exploits. One
in ten pages was found to be suspect. Sophos researchers in 2008 reported that they
were discovering more than 6,000 new infected Web pages every day, or about one every
14 seconds. Many of these infections are connected to botnets, in which each PC is
turned into a zombie that may then be directed to further malicious activity, like
spam or DDoS attacks.
This page collects (and displays, for your review) the same types of information
that malicious web sites use to attack visiting computers. This information is used
to tailor an attack strategy. Not only is the browser and operating system probed
for vulnerabilities. Drive by sites endeavor to learn about any installed application
or plug-in that might be vulnerable to attack.
Demonstration: For demonstration purposes, we have disabled the use of your
ALT key on this page. This should give you some idea just how much control hackers
have over your browsing session and, in fact, over your entire computer. It would be
trivial to remap certain keys to get you to unwittingly download a virus. But in
reality, there are easier ways to infect your computer without your knowledge. Assume
that we have also disabled your mouse (again, trivial to do). Try shutting down
your browser session by doing an ALT F Close. Doesn't work, huh? Sure, there are
ways around what we did (this time).. but you can be sure that hackers would plug
all of the back doors so that you would be 100% under their control.
Starting to understand why these drive-by sites are so insidious?
Listed below is just some of the information that miscreant hackers know about you
when you visit a hacked web site. These sites will silently check
to see if any operating system, application, plug-in and other software is vulnerable.
If a vulnerability is found, it will be immediately exploited. Users no longer
have to actually do something (e.g. opening an e-mail attachment) to have a virus or
trojan installed on their computer.
You have visited this page
times.
Your IP address is:
Check your vulnerability to a drive-by exploit: Click on
the "How vulnerable am I?" button above to run a (completely safe) test.
If a new window does NOT open, you are about as safe as you can be, at least until
these hackers come up with some new exploit. Note that you still need to have ALL
of your software (not just the operating system) patched to the latest level
since there are lots of other ways to pick up trojans and viruses besides visiting
a compromised, infected drive-by web site.
Here's another safe little test you can try:
Click on
http://easyrider.easyrider.com/hackers_white_paper.htm
There is no malicious code on this page! However, around 80,000 legitimate
business, church, government and other web sites are currently unknowingly infected
with SQL or javascript injections. Clicking on the above link will simulate what will
happen during a so-called "drive by" infection except that if you were really
infected, you'd never know it. You'd be automatically and instantly
redirected to a criminal web site where your computer, browser and various installed
applications would be quietly probed for any of dozens of common
vulnerabilities. If one or more vulnerabilities is detected, they will
immediately and silently be exploited and poof!... your computer is
infected. If your browser allows the above URL to come up unchallenged,
your users are definitely vulnerable to drive-by exploits. Again, this
web page is 100% safe. It is merely a test case example. NOTE: if your AV software
scans web sites for safety, it will not detect this type of drive-by in most cases
since the first thing the drive-by does is send your browser to a different web site.
It's all over but the crying before your AV software knows what happened.
An important note: And worth repeating... you or your users don't need
to actually do anything to be infected by many of these viruses and trojans
that are out there such as gumlar. Simply visiting a legitimate site such as Walmart or
whitehouse.gov, if it's been compromised, is all it takes. There's some 80,000
of these perfectly legitimate web sites that are currently and unknowingly
compromised. Once you visit a compromised web site, that's it. You don't
have to click on anything.. you don't have to do a single thing. And
in fact, there's not a thing you can do to prevent getting infected at this point. If
your computer is vulnerable to any one of dozens of exploits... some of which do not
even have patches available to fix, you're cooked!
Adobe confirms PDF zero-day attacks. Disable JavaScript now!: If you're like me
you probably regret ever installing Adode. It seems like it's just one vulnerability
after another with these guys... and most of the time (like now) there is no patch
to correct the problem... Worse still, there is little to no detection of these
malicious PDF files from most of the major Antivirus vendors.
Malicious hackers are exploiting a zero-day (unpatched) vulnerability in Adobe's
ever-present PDF Reader/Acrobat software to hijack data from compromised computers.
According to an advisory from Adobe, the critical vulnerability exists in Adobe Reader
and Acrobat 9.2 and earlier versions. It is being exploited in the wild as of 12/11/09.
This latest vulnerability is actually in a JavaScript function within Adobe Acrobat
[Reader] itself. Furthermore the vulnerable JavaScript is obfuscated inside a zlib
stream making universal detection and intrusion detection signatures much more
difficult. In the interim, Adobe PDF Reader/Acrobat users are urged to immediately
disable JavaScript:
Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript
Or, better yet, use an alternative PDF Reader software program.
| Drive-by Poll |
| Did you find the information here to be helpful? |
About the Author
Frank Saxton is a computer network security engineer and Easyrider LAN Pro principle.
Home-based in Portland, Oregon, Frank has been designing remote diagnostic and
network enterprise monitoring centers since the late 1970s. Prior to becoming a
professional systems engineering consultant in 1990, Frank had a 20 year career
in computer systems field engineering and field engineering management. Frank
has a BSEE from Northeastern University and holds several certifications including
Network General's Certified Network Expert (CNX). As a NOC design engineer and
architect, Frank works regularly with enterprise-class monitoring tools such as
HP Openview Operations, BMC Patrol and others. In his enterprise security
audit work, Frank uses sniffers and other professional grade monitoring tools on a
daily basis.
Next in the security white paper series:
How Cyber Criminals will mature over the next ten years
High value sites recent hacks
Still more 2009 hacks in the news
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
Firewall White Paper
Password White Paper
Digital Identification Certificates White Paper
Virus White Paper
Ghostnet White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Phishing White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourcing White Paper
Easyrider LAN Pro Consulting services:
Network Security Audit and PC Tune-up service
- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting
|
|
Last modified March 25, 2009
Copyright 1990-2009 Easyrider LAN Pro