Google-Whitepaper zu Drive-by-Downloads

Im Google Online Security Blog ist ein umfangreiches Whitepaper zu Drive-by-Downloads (PDF) veröffentlicht worden. Die wichtigsten Punkte in Kürze:

Drive-by downloads are caused by URLs that attempt to exploit their visitors and cause malware to be installed and run automatically. Our analysis of billions of URLs over a 10 month period shows that a non-trivial amount, of over 3 million malicious URLs, initiate drive-by downloads. An even more troubling finding is that approximately 1.3% of the incoming search queries to Google’s search engine returned at least one URL labeled as malicious in the results page.

Ein Teil der Drive-by-Downloads erfolgt über eingeblendete Banner:

Today, the majority of Web advertisements are distributed in the form of third party content to the advertising web site. This practice is somewhat worrisome, as a web page is only as secure as it’s weakest component. In particular, even if the web page itself does not contain any exploits, insecure Ad content poses a risk to advertising web sites.

Die Verbreitungswege der Schädlinge können sehr vielschichtig sein:

The landing page in our example refers to a Dutch radio station’s web site. The radio station in question was showing a banner advertisement from a German advertising site. Using JavaScript, that advertiser redirected to a prominent advertiser in the US, which in turn redirected to yet another advertiser in the Netherlands. That advertiser redirected to another advertisement (also in the Netherlands) that contained obfuscated JavaScript, which when un-obfuscated, pointed to yet another JavaScript hosted in Austria. The final JavaScript was encrypted and redirected the browser via multiple IFRAMEs to adxtnet.net, an exploit site hosted in Austria. This resulted in the automatic installation of multiple Trojan Downloaders.

Antiviren-Programme schützen nur mangelhaft gegen Drive-by-Downloads:

The graph reveals that the detection capability of the anti-virus engines is lacking, with an average detection rate of 70% for the best engine. These results are disturbing as they show that even the best anti-virus engines in the market (armed with their latest definitions) fail to cover a significant fraction of web malware.

Was kann man also machen, um sich zu schützen? Wie vor kurzem bereits im Beitrag über WoW-Trojaner erwähnt, sollte man nicht mehr mit dem Internet Explorer surfen, sondern mit Firefox und außerdem die Erweiterungen Noscript sowie Adblock Plus verwenden.

0 Gedanken zu “Google-Whitepaper zu Drive-by-Downloads

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.