{"61486":{"#nid":"61486","#data":{"type":"news","title":"BLADE Software Eliminates \u0022Drive-By Downloads\u0022 from Malicious Websites","body":[{"value":"\u003Cp\u003EInsecure Web browsers and the growing number of complex applets and browser plug-in applications are allowing malicious software to spread faster than ever on the Internet. Some websites are installing malicious code, such as spyware, on computers without the user\u0027s knowledge or consent.\u003C\/p\u003E\n\u003Cp\u003EThese so-called \u0022drive-by downloads\u0022 signal a shift away from using spam and malicious e-mail attachments to infect computers. Approximately 560,000 websites -- and 5.5 million Web pages on those sites -- were infected with malware during the fourth quarter of 2009.\n\u003C\/p\u003E\n\u003Cp\u003EA new tool that eliminates drive-by download threats has been developed by researchers at the Georgia Institute of Technology and California-based SRI International. BLADE -- short for Block All Drive-By Download Exploits -- is browser-independent and designed to eliminate all drive-by malware installation threats. Details about BLADE were presented Oct. 6 at the Association for Computing Machinery\u0027s Conference on Computer and Communications Security.\n\u003C\/p\u003E\n\u003Cp\u003E\u0022By simply visiting a website, malware can be silently installed on a computer to steal a user\u0027s identity and other personal information, launch denial-of-service attacks, or participate in botnet activity,\u0022 said Wenke Lee, a professor in the Georgia Tech\u0027s School of Computer Science. \u0022BLADE is an effective countermeasure against all forms of drive-by download malware installs because it is vulnerability and exploit agnostic.\u0022\n\u003C\/p\u003E\n\u003Cp\u003EThe BLADE development team includes Lee, Georgia Tech graduate student Long Lu, and Vinod Yegneswaran and Phillip Porras from SRI International. Funding for the BLADE tool was provided by the National Science Foundation, U.S. Army Research Office and U.S. Office of Naval Research.\n\u003C\/p\u003E\n\u003Cp\u003ETo see a demonstration of how BLADE defends against drive-by downloads, watch this video: \u003Ca href=\u0022http:\/\/www.youtube.com\/watch?v=9emHejh8hWE\u0022 title=\u0022http:\/\/www.youtube.com\/watch?v=9emHejh8hWE\u0022\u003Ehttp:\/\/www.youtube.com\/watch?v=9emHejh8hWE\u003C\/a\u003E.\n\u003C\/p\u003E\n\u003Cp\u003EThe researchers evaluated the tool on multiple versions and configurations of Internet Explorer and Firefox. BLADE successfully blocked all drive-by malware installation attempts from the more than 1,900 malicious websites tested.  The software produced no false positives and required minimal resources from the computer. Major antivirus software programs caught less than 30 percent of the more than 7,000 drive-by download attempts from the same websites.\n\u003C\/p\u003E\n\u003Cp\u003E\u0022BLADE monitors and analyzes everything that is downloaded to a user\u0027s hard drive to cross-check whether the user authorized the computer to open, run or store the file on the hard drive. If the answer is no to these questions, BLADE stops the program from installing or running and removes it from the hard drive,\u0022 explained Lu.\n\u003C\/p\u003E\n\u003Cp\u003EBecause drive-by downloads bypass the prompts users typically receive when a browser is downloading an unsupported file type, BLADE tracks how users interact with their browsers to distinguish downloads that received user authorization from those that do not. To do this, the tool captures on-screen consent-to-download dialog boxes and tracks the user\u0027s physical interactions with these windows. In addition, all downloads are saved to a secure zone on a user\u0027s hard drive so that BLADE can assess the content and prevent any malicious software from executing.\n\u003C\/p\u003E\n\u003Cp\u003E\u0022Other research groups have tried to stop drive-by downloads, but they typically build a system that defends against a subset of the threats,\u0022 explained Lee. \u0022We identified the one point that all drive-by downloads have to pass through -- downloading and executing a file on the computer -- and we decided to use that as our choke point to prevent the installs.\u0022\n\u003C\/p\u003E\n\u003Cp\u003EThe BLADE testing showed that the applications most frequently targeted by drive-by download exploits included Adobe Reader, Sun Java and Adobe Flash -- with Adobe Reader attracting almost three times as many attempts as the other programs. Computers using Microsoft\u0027s Internet Explorer 6 became infected by more drive-by-downloads than those using versions 7 or 8, while Firefox 3 had a lower browser infection rate than all versions of Internet Explorer. Among the more than 1,900 active malicious websites tested, the Ukraine, United Kingdom and United States were the top three countries serving active drive-by download exploits.\n\u003C\/p\u003E\n\u003Cp\u003ELegitimate Web addresses that should be allowed to download content to a user\u0027s computer without explicit permission, such as a browser or plug-in auto-updates, can be easily white-listed by the user so that their functionality is not affected by BLADE.\n\u003C\/p\u003E\n\u003Cp\u003EThe researchers have also developed countermeasures so that malware publishers cannot circumvent BLADE by installing the malware outside the secure zone or executing it while it is being quarantined.  \n\u003C\/p\u003E\n\u003Cp\u003EWhile BLADE is highly successful in thwarting drive-by download attempts, the development team admits that BLADE will not prevent social engineering attacks. Internet users are still the weakest link in the security chain, they note.\n\u003C\/p\u003E\n\u003Cp\u003E\u0022BLADE requires a user\u0027s browser to be configured to require explicit consent before executable files are downloaded, so if this option is disabled by the user, then BLADE will not be able to protect that user\u0027s Web surfing activities,\u0022 added Lee.\n\u003C\/p\u003E\n\u003Cp\u003E\u003Cem\u003EThis material is based upon work supported by the National Science Foundation (NSF) under Award No. CNS-0716570, U.S. Army under Award No. W911NF-06-1-0316 and U.S. Navy under Award No. N00014-09-1-1042. Any opinions, findings, conclusions or recommendations expressed in this publication are those of the principal investigators and do not necessarily reflect the views of the NSF, U.S. Army or U.S. Navy.\u003C\/em\u003E\n\u003C\/p\u003E\n\u003Cp\u003E\u003Cstrong\u003EResearch News \u0026amp; Publications Office\u003Cbr \/\u003E\nGeorgia Institute of Technology\u003Cbr \/\u003E\n75 Fifth Street, N.W., Suite 314\u003Cbr \/\u003E\nAtlanta, Georgia  30308  USA\u003C\/strong\u003E\n\u003C\/p\u003E\n\u003Cp\u003E\u003Cstrong\u003EMedia Relations Contacts:\u003C\/strong\u003E Abby Vogel Robinson (abby@innovate.gatech.edu; 404-385-3364) or John Toon (jtoon@gatech.edu; 404-894-6986)\n\u003C\/p\u003E\n\u003Cp\u003E\u003Cstrong\u003EWriter:\u003C\/strong\u003E Abby Vogel Robinson\u003C\/p\u003E\n\u003Cp\u003E\u0026nbsp;\u003C\/p\u003E","summary":null,"format":"limited_html"}],"field_subtitle":"","field_summary":[{"value":"\u003Cp\u003EResearchers have developed a new tool that eliminates drive-by download threats. BLADE is browser-independent and when tested, it blocked all drive-by malware installation attempts from more than 1,900 malicious websites and produced no false positives.\u003C\/p\u003E","format":"limited_html"}],"field_summary_sentence":[{"value":"Researchers developed a tool that eliminates drive-by downloads."}],"uid":"27206","created_gmt":"2010-10-06 00:00:00","changed_gmt":"2016-10-08 03:07:34","author":"Abby Vogel Robinson","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2010-10-06T00:00:00-04:00","iso_date":"2010-10-06T00:00:00-04:00","tz":"America\/New_York"},"extras":[],"hg_media":{"61487":{"id":"61487","type":"image","title":"Wenke Lee","body":null,"created":"1449176337","gmt_created":"2015-12-03 20:58:57","changed":"1475894536","gmt_changed":"2016-10-08 02:42:16","alt":"Wenke Lee","file":{"fid":"191368","name":"tpo68789.jpg","image_path":"\/sites\/default\/files\/images\/tpo68789_0.jpg","image_full_path":"http:\/\/hg.gatech.edu\/\/sites\/default\/files\/images\/tpo68789_0.jpg","mime":"image\/jpeg","size":814533,"path_740":"http:\/\/hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/tpo68789_0.jpg?itok=oMcbmJWm"}}},"media_ids":["61487"],"related_links":[{"url":"http:\/\/www.blade-defender.org\/","title":"BLADE"},{"url":"http:\/\/www.blade-defender.org\/BLADE-ACM-CCS-2010.pdf","title":"ACM Conference on Computer and Communications Security paper"},{"url":"http:\/\/www.scs.gatech.edu\/people\/wenke-lee","title":"Wenke Lee"},{"url":"http:\/\/www.scs.gatech.edu\/","title":"Georgia Tech School of Computer Science"}],"groups":[{"id":"1188","name":"Research Horizons"}],"categories":[{"id":"153","name":"Computer Science\/Information Technology and Security"},{"id":"135","name":"Research"}],"keywords":[{"id":"9202","name":"antivirus"},{"id":"10867","name":"Blade"},{"id":"10838","name":"botnets"},{"id":"9086","name":"countermeasures"},{"id":"10868","name":"denial of service"},{"id":"10863","name":"drive-by download"},{"id":"2229","name":"Internet"},{"id":"10865","name":"Malicious Software"},{"id":"10866","name":"malicious websites"},{"id":"7772","name":"malware"},{"id":"171031","name":"Spyware"}],"core_research_areas":[],"news_room_topics":[],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003E\u003Cstrong\u003EAbby Vogel Robinson\u003C\/strong\u003E\u003Cbr \/\u003EResearch News and Publications\u003Cbr \/\u003E\u003Ca href=\u0022http:\/\/www.gatech.edu\/contact\/index.html?id=avogel6\u0022\u003EContact Abby Vogel Robinson\u003C\/a\u003E\u003Cbr \/\u003E\u003Cstrong\u003E404-385-3364\u003C\/strong\u003E\u003C\/p\u003E","format":"limited_html"}],"email":["abby@innovate.gatech.edu"],"slides":[],"orientation":[],"userdata":""}}}