A seemingly foolproof tool for blocking drive-by-download attacks has been developed by a group of researchers at the Georgia Institute of Technology and California-based SRI International.
The name of the tool is BLADE (an acronym for Block All Drive-By Download Exploits) and it’s – as one of the researchers says – browser-independent and “vulnerability and exploit agnostic”. It has been tried on various versions of Internet Explorer and Firefox, and the result is astounding: all of the circa 1,900 drive-by installation attempts blocked and no false positives. An added bonus is that it doesn’t hog computer resources.
How does it work? “BLADE monitors and analyzes everything that is downloaded to a user’s hard drive to cross-check whether the user authorized the computer to open, run or store the file on the hard drive. If the answer is no to these questions, BLADE stops the program from installing or running and removes it from the hard drive,” said Long Lu – a Georgia Tech graduate student and one of the developers of BLADE – to Science Daily. Also, all downloads are stored to a “secure zone” of the hard drive so that BLADE can determine whether the software is malicious or not.
The testing of this tools also uncovered some additional information about drive-by-download attacks, i.e. that the most frequently targeted applications are Adobe Reader, Sun Java and Adobe and that computers with IE6 installed are more likely to get infected than those with IE7 and 8, and Firefox 3 users are the least in danger.
The researchers claim that they have also thought about potential attempts from malware authors to bypass BLADE – such as trying to install the malware outside the dedicated “safe zone” or to execute it inside it – so, they also developed active countermeasures.
What are those countermeasures, they didn’t say, but the researchers have been scheduled to present further details about BLADE at the Association for Computing Machinery’s Conference on Computer and Communications Security held last week in Chicago, so we can expect further details to be widely known soon.