Browser Extension Based Method To Prevent Drive-by Download Attack

With the rapid development of the World Wide Web, many web new technologies come in being. The appearance of them largely enriches the web content, however also makes the functionality of the browser more and more complex. It’s more and more difficult to insure the browser’s security. As the browser is as ubiquitous as the operating system, it occupies the vast majority of the user’s surfing Internet time, which leads to that it becomes the main attack target. According to Microsoft, in 2011, the number of vulnerabilities found by the various browsers has exceeded the operating system, and the gap is getting wider and wider. The number of HTML/Javascript attack tied for the first place since 2011, accounting for one-third of the total number of attacks. There are multiple web attacks, such as SQL injection, broken session, cross-site scripting, cross-site request forgery, which are a severe threat to a wide variety of web applications and the vast majority of Internet users.Drive-by download attack is the most common one among web attacks. It always takes advantage of the vulnerabilities of the user’s browser or plug-ins. By using a variety of attack techniques in traditional software security field, it compromises the user’s browser, download and execute the virus, and then steal the users’privacy or add the victim host into a botnet. User host just visit a Drive-by download web site that will lead to be infected with the virus, or even completely be controled by attackers.Drive-by download attack firstly need to mount its malicious script to a website. There are two ways to achieve it. One is build a website by attackers, the other is attack a famous website and embed some web content into its web pages. The second way is more common, because it costs less and is easy to disguise, it can also attract many visits. Attacker embeds an IFrame into a legitimate web page. The request of this IFrame redirects multiple times, so as to conceal the address of the real attack server. The IFrame contains a piece of malicious Javascript code, which target to certain vulnerabilities of the browser. When a user visits this malicious web page, the Javascript code will automate run, hack the control flow of the browser, download and execute the malware from remote malware server. Malicious Javascript codes usually employ the Heap-Spray attack technology, which applies for plenty of heap space to precisely jump to target shellcode. Drive-by download which targets to plug-ins is similar, the only difference is that the malicious code is implemented in the language the plug-in supports. Such as ActionScript, Java.We adopt the execute prevention method to defend the Drive-by download attack. That is, permit the download of malwares, but prevent its execution. We consider the files download by users manually are benign, which can execute, however the other files download by browsers are potential malicious, which cannot execute. We make use of the browser extension to monitor user’s download file activities, and add executable ones of them into the white list. We install a hook to monitor process creation by the browser at the same time. When a executable file is requested to execute but not in the white list, the driver refuse the request. We have implemented a prototype:DPrevent (Drive-by Download Prevent), which is based on the Firefox extension, for the Microsoft Windows platform. The experiment demonstrates that, the false positive and false negative of the DPrevent are both zero. Since of the agnostic for the attack method, it can also defend the zero-day attacks. The overhead of DPrevent is almost none, which is better than the other dynamic skills in this area.