An Attack-Agnostic Approach for
Preventing Drive-By Malware Infections
Long Lu1, Vinod Yegneswaran2, Phillip Porras2, Wenke Lee1
Georgia Tech
2 SRI International
1
Oct. 6th, 2010
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al.
17th ACM Conference on Computer and Communications Security
BLADE:
17th ACM Conference on Computer and Communications Security
Malware Propagation Facts
• One common path: the Internet
• Two fundamental approaches:
• Drive-by download Vs. Social engineering
• Drive-by Download
• most favored by today’s attackers
• Counts for more than 60% malware infections [ISC09,
Dasiant10, Google10]
2
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al.
17th ACM Conference on Computer and Communications Security
Drive-by Download
• Definition: Drive-by Download - An attack in which the
mere connection to a website results in the installation of
a binary executable without the web-user’s authorization.
• A click-then-infect scheme
• Exploiting client-side vulnerabilities
Strong
penetration
Silent
infection
Easy to
launch
3
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al.
17th ACM Conference on Computer and Communications Security
Regular browsing & downloading
Go to www.a.com
HTTP Requests
HTTP Responses
Browser automatically saves and renders supported file types
(*.html, *.js, *.jpeg, etc.)
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al.
4
17th ACM Conference on Computer and Communications Security
Regular browsing & downloading
Go to www.a.com/a.exe
HTTP Request
Save x.exe from a.com?
HTTP Response
Content-Type:
application/octet-stream;
Browser asks for user consent before saving unsupported file types
(*.exe, *.zip, *.dll, etc.)
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al.
5
17th ACM Conference on Computer and Communications Security
Drive-by download attack
Go to
www.compromised.com
HTTP Requests
HTTP Responses
Essential steps:
1. Exploit
2. Download
3. Execute
No user consent required!
Requests without
user’s consent
Response from
malware host
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al.
6
17th ACM Conference on Computer and Communications Security
Observations
Browsers handle
• supported content automatically
• unsupported content based on user’s permissions
Golden Rule: Browsers should never automatically
download and execute binary files without user consent.
All drive-by downloads inevitably break this rule.
No drive-by download will succeed if this rule holds.
7
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al.
17th ACM Conference on Computer and Communications Security
BLADE Approach
• Goal: to eliminate drive-by malware infections
• Approach: unconsented execution prevention
• Exploit and vulnerability agnostic
• Browser independent
Essential steps:
1. Exploit
2. Download
3. Execute
User Intent tracking
Consented download correlation
Unconsented download execution prevention
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al.
8
17th ACM Conference on Computer and Communications Security
BLADE Design
Assumptions
Design choices
• Browsers may be fully
compromised;
• BLADE is designed as a kernel
driver;
• OS is trusted;
• User intents are inferred from
H/W and window events ;
• H/W is trusted.
• Consented download is
correlated and verified;
• Unconsented download are
contained in “SecureZone”.
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al.
9
Secure
Zone
User
interaction
Input Device
Driver
Screen
I/O
Windowing
File
I/O
FileSys
View
Net
I/O
Transport
Driver
HW Evt
Tracer
BLADE
Supervisor
Screen
Parser
I/O
Redirector
17th ACM Conference on Computer and Communications Security
BLADE Architecture
Correlator
File
System
10
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al.
Screen
Parser
• Locate consent button(s)
• Parse correlation information
H/W Evt.
Tracer
• Monitor mouse and keyboard
input
I/O
Redirector
• Redirect disk writes from
browsers
Correlator
• Discover candidate and verify its
origin
• Map it to the regular file system
FileSys
View
File
System
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al.
Secure
Zone
17th ACM Conference on Computer and Communications Security
How it works – regular download
11
I/O
Redirector
• Redirect disk writes from
browsers
FileSys
View
I/O
Redirector
• Alert when execution is
attempted
Secure
Zone
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al.
17th ACM Conference on Computer and Communications Security
How it works – drive-by download
12
• Screen Reader
• Monitors certain windowing events
• Parses internal composition of consent dialogues
17th ACM Conference on Computer and Communications Security
Implementations
13
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al.
• H/W Event Tracer
• Resides above device drivers
• Listens to IRPs
OS I/O
Mgr.
H/W Evt.
Tracer
Input
Driver
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al.
17th ACM Conference on Computer and Communications Security
Implementations
14
• I/O Redirector
• Built as a file system mini-filter
• Redirects file accesses
• Provides a merged view
• Correlator
• Uses transport driver interface
• Records streams coming from download sources
• Content-base correlation and verification
17th ACM Conference on Computer and Communications Security
Implementations
15
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al.
• An automated test bed
• Harvest new real-world malicious URLs daily
• VMs with various software configurations
3
months
18896
visits
7925
defended
0
missed
17th ACM Conference on Computer and Communications Security
Empirical Evaluation
16
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al.
Detected
33%
Missed
67%
Internet
Explorer
11%
Sun Java
22%
Adobe
Flash
9%
VirusTotal Detection Rate
17th ACM Conference on Computer and Communications Security
Empirical Evaluation
Adobe
Reader
58%
Most Targeted Applications
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al.
17
• Using 19 specifically hand-crafted exploits
• Covering all common exploiting techniques
• Targeting at diverse vulnerabilities (11 zero-days)
• BLADE prevented all 19 infection attempts
17th ACM Conference on Computer and Communications Security
Attack Coverage Evaluation
18
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al.
• Potential ways to evade/attack BLADE
Spoofing
attacks
• Fake GUI
• Fake user response
Download • Replace download file
hijacking • Piggybacking
Coercing
attacks
17th ACM Conference on Computer and Communications Security
Security analysis
• Execute in Secure Zone
• Evade I/O redirection
19
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al.
• Normal file downloads
15
sites
4
browsers
120
downloads
0
FP
120
pages
0
FP
• Normal site-browsing
5
sites
6
categories
17th ACM Conference on Computer and Communications Security
Benign Website Evaluation
20
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al.
• Per-component test
• End-to-end test
• Worst case overhead – 3%
• Negligible on average
17th ACM Conference on Computer and Communications Security
Performance Evaluation
21
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al.
• Social engineering attacks
• In-memory execution of shellcode
• Only effective against binary executables
17th ACM Conference on Computer and Communications Security
Limitations
22
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al.
17th ACM Conference on Computer and Communications Security
Q&A
www.blade-defender.org
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al.
23
