Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How do you Stop Driveby Downloads


  • Please log in to reply
19 replies to this topic

#1 King_Yoshi

King_Yoshi

  • Malware Study Hall Senior
  • 1,361 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 28 July 2012 - 02:51 PM

I have recently been infected by a drive-by download, due to myself accidentally clicking on an add.
(I was using firefox and was using both flashblock and adblock addons.)

I actually watched in real time, as my network meter showed the download happening, and then my firewall alert going off. I blocked its connection to the internet, but it still continued to activate.
I then proceeded to stop all traffic with comodo, and unplugged my ethernet cable, however the damage had already been done.


My question is, what lightweight programs could I use for stopping these driveby downloads?
If I could prevent the trojan to begin with I could avoid all the viruses/rootkits/malware that comes after.
(Besides user discretion, because mistakes do happen.)

Thank you for any and all help.

BC AdBot (Login to Remove)

 


#2 ButtonsRNeat

ButtonsRNeat

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 28 July 2012 - 04:38 PM

Hi!

I think NoScript should help prevent some drive-by downloads. It is an add-on for Firefox. You should probably look into it more though to see if it's right for you because I only started using it recently and I'm not too knowledgeable about this kind of stuff...just putting out an idea. Maybe a more experienced person on this forum will have a better suggestion.

#3 King_Yoshi

King_Yoshi
  • Topic Starter

  • Malware Study Hall Senior
  • 1,361 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 28 July 2012 - 04:47 PM

Hi!

I think NoScript should help prevent some drive-by downloads. It is an add-on for Firefox. You should probably look into it more though to see if it's right for you because I only started using it recently and I'm not too knowledgeable about this kind of stuff...just putting out an idea. Maybe a more experienced person on this forum will have a better suggestion.


Thank you for the suggestion. I have actually tried using this addon, but it has caused me much trouble since just about every single website I use requires scripts. I even tried white-listing them all, but after about 200+ websites,it became very tedious.

Do you know of any programs that could catch a driveby as it happens and block the download?

#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:58 AM

Posted 28 July 2012 - 05:22 PM

Hello -
Since you do have an open infection topic, I can only be basic in my reply and ask you not to make any changes to your computers current settings.
With that said, your Malware Removal advisor will give you some more specific items after they check your logs and apply any fixes.

In many cases it is almost impossible to fully prevent a "drive-by infection" download, as the infection will load regardless of the steps taken.
This is why all reputable Malware Removal forums are fully loaded with people waiting for help on similar problems.

Your first line of defense is naturally a good Antivirus program. Free, Trial, or Paid versions are all mostly good these days, and you should use one that you are happy with. You should add a good known brand of Firewall to this mix, as these will stop another few % of infections as well as hackers.

Next, remember that No One program will ever prevent all infections, at all times, in all situations, or on all computer makes and models.
Active (running) Antivirus and Antimalware programs can stop well over 90% of known infections, but never 100% of them.
I run Microsoft Security Essentials Antivirus with a Paid (active) version of Malwarebytes Anti-Malware, but I have still had infections slip past them.

There are other good Free programs, like WinPatrol or W.O.T. and other similar programs that warn you about sites with infections on them.
But as I said earlier an Antivirus, Antimalware and Firewall program may still allow a small new infection to access your system. Please remember that the rotten people who insert infections on the internet are devising newer methods every day, just to harm good people like you.

The pinned topics at the top of this forum area contain many very good ideas on prevention and quick help ideas, just for your protection.

I know this is a bit long, but there is no short answer in the continuing fight against Malware of any type infecting your computer.

Thank you if you took the time to read, or at least scan most of my reply -

Regards and Good Luck -
Edited for spelling only

Edited by noknojon, 28 July 2012 - 05:24 PM.


#5 King_Yoshi

King_Yoshi
  • Topic Starter

  • Malware Study Hall Senior
  • 1,361 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 28 July 2012 - 05:32 PM

Thank you for the feedback.

I currently do run Malwarebytes free and a paid version of avast and comodo firewall.
I do find it odd that there is no sure way of stopping a program from running on a Windows OS.

Just recapping here, from what you last stated, there is no way to stop the driveby download, since it is using some sort of exploit in one of the programs I am currently running. However a anti-virus/malware program should be able to pick up the infection most of the time?

I used to use a program named Process Explorer in the past, which did in fact stop most drivebys and trojans, and am actively seeking a replacement for it.
In fact I have even started a new post HERE for it.

#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:58 AM

Posted 28 July 2012 - 06:12 PM

Hi Again-
I do find it odd that there is no sure way of stopping a program from running on a Windows OS.<< For a full answer we must ask Bill Gates and his team B)
However a anti-virus/malware program should be able to pick up the infection most of the time?<< Note that I did say Active / running program.
Note that Malwarebytes free is only a "Clean up tool" and will never prevent or block an infection from entering your system, only "help" in removal.

I would also wait for one more day, as Animal, and other higher people usually do not like us to give specific advice while you have a Malware Removal topic pending.
Our advice can make the problem harder for the Experts to clean, due to new programs being placed on your system after you have submitted existing logs.

I do hope that you understand this, and in no way are we refusing to give you general information or help for future use.

Thank You -
EDITED to add links -
From Wikipedia Process Explorer is a freeware computer program for Microsoft Windows created by Sysinternals, which has been acquired by Microsoft Corporation.
Also a link to Process Explorer Home Page for you to read and see if this is the program that you did refer to.

Edited by noknojon, 28 July 2012 - 06:21 PM.


#7 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:06:58 PM

Posted 28 July 2012 - 06:32 PM

....there is no way to stop the driveby download, since it is using some sort of exploit in one of the programs I am currently running....


In order to reduce the "attack surface" of your OS, it is imperative you update your system/programs on a regular basis. I use the following methods, among others:

1) Windows Update: http://windows.microsoft.com/en-us/windows/help/windows-update
2) Secunia Personal Software Inspector: http://secunia.com/vulnerability_scanning/personal/
3) FileHippo Update Checker: http://www.filehippo.com/updatechecker/
4) Adobe Security Bulletins: http://www.adobe.com/support/security/
5) Java Version Check: http://www.java.com/inc/BrowserRedirect1.jsp?locale=en

#8 King_Yoshi

King_Yoshi
  • Topic Starter

  • Malware Study Hall Senior
  • 1,361 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 28 July 2012 - 07:41 PM

I apologize. I seem to have linked to the correct program, but put down the wrong name. The program I am speaking of is DiamondCS ProcessGuard.

Process Explorer is another good program I use, but does not have anything to do with ProcessGuard.
I apologize for the mistake.

I was specifically mentioning ProcessGuard, since it would literally not allow any program to run on your computer unless
A. It bypassed ProcessGuard (Which to my knowlege happened very rarely.)
B. You allowed it to run
C. It was added to the programs whitelist

ProcessGuard acted much like UAC does, however it allowed you to analyze and get additional information about every program that was run, where it was run from/located, and a number of other features.



On a side note. Rest assured that the information I am given will not be utilized until the computer is deemed "clean".
I am merely posting here so that I can get new methods for prevention. Something which does not seem to be very popular.
(Most people I have spoken to about this just tell me to fix the problem as it comes up... I prefer to prevent it, before it becomes a problem.)

#9 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:58 AM

Posted 28 July 2012 - 08:25 PM

The program I am speaking of is DiamondCS ProcessGuard.

Publisher DiamondCS http://www.diamondcs.com.au
License type Shareware - Full cost $29.95(USD)
DiamondCS ProcessGuard 3 - Description by Publisher

DiamondCS ProcessGuard is a groundbreaking security system first released late in 2003 that protects Windows processes from attacks by other spyware processes, services, drivers, and other forms of executing code on your system. ProcessGuard also stops applications from executing without the users consent, stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks. ProcessGuard even stops most keyloggers and leaktests, and is recognised by many to be the most comprehensive anti-rootkit solution available

.
From most information available it supported up to XP only and was halted at that development stage. OS : Windows2000,WinXP,Windows2003
The Latest Link I can Find

Not sure of your O/System so I cannot add any more than there links for you, and hope this is what you were talking about -
EDIT to add SpywareBlaster -
SpywareBlaster - A program that locks your browser from running known malware or downloading programs from known malware sites.
This is a more recommended program these days, and seems to be similar to what you are talking about -

Edited by noknojon, 28 July 2012 - 08:30 PM.


#10 King_Yoshi

King_Yoshi
  • Topic Starter

  • Malware Study Hall Senior
  • 1,361 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 28 July 2012 - 08:41 PM

The program I am speaking of is DiamondCS ProcessGuard.

Publisher DiamondCS http://www.diamondcs.com.au
License type Shareware - Full cost $29.95(USD)


Yes I used ProcessGuard on my old Windows XP system, and had hoped that they would support WIndows 7. But they had gone out of business before then, and I have been looking for a windows 7 compatible program similar to it since then.

EDIT to add SpywareBlaster -
SpywareBlaster - A program that locks your browser from running known malware or downloading programs from known malware sites.
This is a more recommended program these days, and seems to be similar to what you are talking about -


Thank you for this suggestion. It looks to be a less comprehensive solution to my problem.
I think I will start using it, until I find a more powerful program.
(I will not install it until after my computer is clean.)

Edited by King_Yoshi, 28 July 2012 - 08:44 PM.


#11 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:58 AM

Posted 28 July 2012 - 08:50 PM

Please read this page http://www.bleepingcomputer.com/forums/topic405.html/page__view__findpost__p__1637 from at the top of this forum area.
There are many good and newer programs listed in those "pinned" pages at the top of this area by Grinler and Quietman7 -
These people are the better Experts in this field, and have many options listed in those pages -

Regards -

#12 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:03:58 PM

Posted 29 July 2012 - 05:17 PM

I decided to take this project on for personal gratification reasons I was curious what alternative could be used for Windows 7 OS's and ProcessGuard.

I don't have a Windows 7 OS available to test with but after reading pages and pages of information I was able to narrow down the most viable alternative to Blue Ridge Networks product AppGuard in my opinion. If anyone else has another candidate I'm interested in seeing it.

It's not free and neither was ProcessGuard. But there is a 30 day trial.

This not an endorsement or spam post. I was just surprised that ProceessGuard does not support Windows 7. I too was curious what was available.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#13 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:58 AM

Posted 29 July 2012 - 06:15 PM

I was just surprised that ProceessGuard does not support Windows 7

The company that developed ProcessGuard no longer exists, and was closed (or sold) about the time XP was being expanded (in the 70s)
I m not sure where your $30 fee ends up :blink: as there is no current contact for ProcessGuard, the old web site seems to be a reseller of other Antivirus products.
I had posted SpywarweBlaster, as from my findings, I thought it was "Similar" to ProcessGuard and supported latest versions also.

Thank You -

#14 King_Yoshi

King_Yoshi
  • Topic Starter

  • Malware Study Hall Senior
  • 1,361 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 29 July 2012 - 06:56 PM

I decided to take this project on for personal gratification reasons I was curious what alternative could be used for Windows 7 OS's and ProcessGuard.

I don't have a Windows 7 OS available to test with but after reading pages and pages of information I was able to narrow down the most viable alternative to Blue Ridge Networks product AppGuard in my opinion. If anyone else has another candidate I'm interested in seeing it.

It's not free and neither was ProcessGuard. But there is a 30 day trial.

This not an endorsement or spam post. I was just surprised that ProceessGuard does not support Windows 7. I too was curious what was available.



Interesting. I had never heard of this company before. I will definitely be trying out this Appguard.
It looks to be just as customizable as process guard had originally been.

Thank you for this find.

Edited by King_Yoshi, 29 July 2012 - 06:57 PM.


#15 saltydogg

saltydogg

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeast Texas, USA
  • Local time:06:58 PM

Posted 11 August 2012 - 11:29 PM

The company that developed ProcessGuard no longer exists, and was closed (or sold) about the time XP was being expanded (in the 70s)...


?????




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users