Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

can you get a virus/malware just by visiting a website?


  • Please log in to reply
27 replies to this topic

#1 NEMS

NEMS

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 07 June 2015 - 08:28 AM

Hello,

 

So I've always wondered if you can get a virus/malware just by visiting a website?

 

I always thought this was a No, because I believe a user is only infected when he/she opens up that malware/virus FILE, once you open it up and install it then you are infected.

 

I know there are drive by downloads, but your anti-virus or anti-malware program should detect the file and automatically delete it.

 

Malware/virus can't infect your computer unless you open the file, right?


Edited by NEMS, 07 June 2015 - 08:30 AM.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:02 PM

Posted 07 June 2015 - 08:31 AM

Hi NEMS :)

Yes, it's entirely possible to get infected by simply visiting a website. Most commonly via what we call "Exploit Kits". Right now, EK are used to deliver a lot of dangerous malware (such as banking trojans and Cryptoware) to computers worldwide. So using a standard Antivirus and Antimalware won't cut it. Using a program that protects your web browser against such threats, like Malwarebytes Anti-Exploit will.
 

but your anti-virus or anti-malware program should detect the file and automatically delete it.


This is assuming that the file pushed on your system is already known to your Antivirus or Antimalware (in its database). If it's not, it won't do anything. And we all know that no products have a 100% detection ratio.

Edit: For more information on Exploit Kits and how they work, see the article below.

Tools of the Trade: Exploit Kits

Edited by Aura., 07 June 2015 - 08:34 AM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:09:02 PM

Posted 07 June 2015 - 08:34 AM

Of course it can infect you when you open site even if you have updated antivirus program. There is no antivirus software that can detect all malware in the world. Some antivurs program can detect something that other still can't.


Edited by severac, 07 June 2015 - 08:38 AM.

I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:02 PM

Posted 07 June 2015 - 08:35 AM

There is now antivirus software that can detect all malware in the world.


I'll assume this is a typo and you meant "There is no* antivirus software that can detect all malware in the world."

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:09:02 PM

Posted 07 June 2015 - 08:39 AM

 

There is now antivirus software that can detect all malware in the world.


I'll assume this is a typo and you meant "There is no* antivirus software that can detect all malware in the world."

 

Yes, thank you for correcting my mistake. English is not my mother language. 


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#6 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:02 PM

Posted 07 June 2015 - 08:46 AM

Even if it's a well known malware, cybercriminals can use a packer (read: encrypt the malware) to make it FUD (fully undetectable) to antivirus and antimalware software that rely on signatures. This can be defeated by the use of behavioral analysis (Emsisoft's Behavior Blocker), sandbox (Sandboxie, Comodo Internet Security's Defense+) or rollback {Kaspersky's System Watcher).

Anti-exploit applications such as Malwarebytes Anti-Exploit, EMET (Enhanced Mitigation Experience Toolkit) and HitmanPro.Alert are also effective in stopping malware dropped via exploits before they land on your computer. Don't use two of them at the same time though - they will conflict and lower your protection.

#7 NEMS

NEMS
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 07 June 2015 - 09:59 AM

Hi NEMS :)

Yes, it's entirely possible to get infected by simply visiting a website. Most commonly via what we call "Exploit Kits". Right now, EK are used to deliver a lot of dangerous malware (such as banking trojans and Cryptoware) to computers worldwide. So using a standard Antivirus and Antimalware won't cut it. Using a program that protects your web browser against such threats, like Malwarebytes Anti-Exploit will.
 

but your anti-virus or anti-malware program should detect the file and automatically delete it.


This is assuming that the file pushed on your system is already known to your Antivirus or Antimalware (in its database). If it's not, it won't do anything. And we all know that no products have a 100% detection ratio.

Edit: For more information on Exploit Kits and how they work, see the article below.

Tools of the Trade: Exploit Kits

 

 

#6 it says that the exploit kit is downloaded and executed, if it is downloaded wouldn't for example chrome browser show the file downloading in the download bar? also how can it execute by it's self?



#8 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:02 PM

Posted 07 June 2015 - 10:01 AM

#6 it says that the exploit kit is downloaded and executed, if it is downloaded wouldn't for example chrome browser show the file downloading in the download bar? also how can it execute by it's self?

It uses exploits to download and execute undetected. Also the Chrome downloader was not used so the malicious file downloaded will not show in Google Chrome.

#9 rp88

rp88

  • Members
  • 3,016 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:02 PM

Posted 07 June 2015 - 01:01 PM

You most certainly can be infected by just visiting a site, if you have vulnerable plugins or a vulnerable browser. A world where infection would only be possible if you ran a downloaded exe file would be far easier to keep a computer secure in, but in the real world some types of virus can load themselves onto your machine without the need for any deliberate actions (like opening a file) by the user. Duch attacks are called "drive-bys" or "exploits" and commonly target java, flash and silverlight plugins as well as adobe reader and the browser internet explorer, exploits also exist which can attack media player software and all the other common browsers (chrome, firefox and all the rest). Fortunately there are some ways to make it much harder for drive-by attacks to infect you, careful browsing could be considered the first but in this era of malvertising content being loaded in the corners on reputable site careful browsing is not enough.

The various means to defend yourself are listed and explained below, do as many as you can for the best protection.

Always make sure your browser is up to date, and the plugins within your browser as well. Updates to browsers and plugins patch vulnerabilities so an old un-updated browser will be vulnerable to most exploits in use while an up-to-date browser will noyl be vulnerable to recently developed exploits. IE is the most vulnerable, firefox and chrome are both far more secure but neither is perfect.

Deactivate all your plugins or set them as "click to play", loads more exploits exist which attack flash, java and silverlight as compared to the lower (but still terrifyingly large) number of exploits which target the browsers themselves. If you disbale plugins you don't use, and those which you sometimes use you set as "click to play" or " ask to activate", then exploits which attack plugins are less of a danger to you. Firefox makes it easy to disable plugns or set them as "ask to activate", chrome also makes it fairy easy, these days it is set up to do this by going to "sandwich button"-->settings-->show advanced settings-->content settings-->let me choose when to run plugin content. I don't know if IE lets you disable plugins like this or set them only to run when you approve them.

Run an adblocker, this won't protect you from drive-bys and exploits actually built into the page you are visiting, but it will block adverts from third party sites which could be used to deliver malvertising.

Run a scriptblocker, this will protect you from exploits on the page you are visiting, and from exploits on other domains which are trying (but which the script blocker will stop) from loading content onto the page you are on. A scriptblocker also blocks adverts as a side-effect although you might want to run an adblocker as well alongside it. Noscript is script blocker for firefox, I have been using it for a while now, I haven't suffered any infections since I installed it as an add-on. I haven't seen any pop-ups either. A scriptblocker like noscript should make drive-bys impossible when you have it turned on, but sometimes you will need to allow some things through it for some things (videos mostly) on pages to work, if you only allow things from very trustworthy domains then it will keep you very extremely safe. A scriptblocker prevents exploits before they can begin it's an "anything the user doesn't allow deliberately is by default forbidden" type of security solution.

Run some sort of specialised anti-exploit protection, malwarebytes anti exploit does this, it is a free program which blocks common exploit methods. This means that it can protect against unknown viruses because it blocks anything that looks like an exploit without needing to worry about precisely what the payload is. This sort of program acts as a layer "behind" your browser whereas things like noscript and adblockers act as layers "infront" of your browser. MBAE works well in combination with noscript and firefox.

Keep your antivirus running as it is, run a realtime protection antimalware alongside it if you can. An antivirus and antimalware act as another layer behind any specialised anti-exploit protection you have.

For futher protection you can also run witelisting software which prevents any exe file which you have not previously approved from being able to execute.




The key thing with protecting yourself from exploits is to use "anything not allowed by the user is forbidden" types of security as well as the standard method an antivirus uses "anything not matching this database of known nasties is allowed". Things like noscript and mabe, as well as whitelisting programs, use this first method and therefore don't need to recognise every virus, they just stop anything which the user doesn't choose to allow. A brand new virus would not be recognised by antivirus and antimalware programs but it wouldn't be able to infect a noscript user unless they allowed the object or script delivering it to run, and it wouldn't be able to infect an mbae user unless it was using some uterly new and unrecognised exploit method. If you follow all the suggestions mentioend here being exploited should be impossible, note that you still need your antivirus running as well because mbae and noscript won't protect you from files you do deliberatly open and run.




Regarding post #7: malware exploit files are small files, only a few kilobytes, if you have download speeds of 0.5 Mb per second they would download so fast that there wouldn't even be time to show a "downloading" bar, also exploits do not download in the same way as normal file downloads, they take other routes so wouldn't be counted by the browser as downloads and put into any download history it keeps. The self-execution of exploit files happens because of the exploit methods, these basically let them bypass normal downloading and opening entirely, they download themselves and immediately run themselves.

Edited by rp88, 07 June 2015 - 01:01 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:02 PM

Posted 07 June 2015 - 05:50 PM

There's many ways of downloading a file on a system without using Google Chrome and to hide the process, so you cannot rely on that.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:02 PM

Posted 07 June 2015 - 07:44 PM

Even legitimate web sites and the ads they display can be a source of infection...exploit kits and drive-by downloads.Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. Hackers are also known to exploit Flash vulnerabilities which can lead to malware infection. When visiting a website that hosts an HTML page which requires a Flash script, users may encounter a malicious Flash redirector or malicious script specifically written to exploit a vulnerability in the Flash Interpreter which causes it to execute automatically in order to infect a computer.

If you have not done so already, you may want to read: How Malware Spreads - How your system gets infected
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 PresComm

PresComm

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:02 PM

Posted 08 June 2015 - 12:54 PM

Brad Duncan's website provides great technical detail of the step-by-step machinery that goes on behind the scenes during an exploit kit attack, as does Kafeine's blog. See examples of the Angler EK pushing the Bedep Trojan below:

 

http://www.malware-traffic-analysis.net/2015/06/05/index.html

http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html

 

I just ran into the infection outlined by Brad in the first link. Stepping through his post, you can see that just by visiting a site that points to "flash[.]casapiti[.]com[.]ar", or by visiting that site directly, you will be redirected to a page (haitallistakinaglaozonia[.]renteriaonline[.]com) that hosts some files that are designed to exploit vulnerabilities in your browser (those are the 3 items in the "ANGLER EK" section, the GET requests.) The browser executes those files, because that is what it is supposed to do. The files themselves exploit vulnerabilities in the browser, which then allows the attacker to do what it is they want to do. In the cases covered by Brad and Kafeine and encountered by myself, the Bedep Trojan is pushed onto the machine. Yes, anti-virus can intervene at this point, once Bedep is dropped onto the machine, but that goes with usual caveats (definitions need to be updated, attacker can bypass protections by using polymorphic copies of the malware, malware can be packed, etc.) You should instead be relying on anti-exploit technologies to prevent the exploit in the first place. Again, these can be bypassed, but I have had very, very good experiences with Malwarebytes Anti-Exploit. The important thing to note here is that the only action that the user carried out was browsing to a website. The browser and the EK took care of everything else.

 

EKs are just files full of code that are executed by the browser. When the browser encounters a .SWF file, for example, the Flash Player plugin runs the file. If the version of Flash Player running the .SWF file is a vulnerable version, and if the .SWF file is built to exploit a vulnerability in that version of Flash, the exploit will occur unless something is able to intervene, such as Malwarebytes Anti-Exploit. This is the reason you hear so many people cry for you to patch your software religiously, to disable plug-ins you don't need, and/or to run extensions/add-ons like NoScript so you can allow scripting on a file-by-file basis. No solution is one-size-fits-all, of course.


Edited by PresComm, 08 June 2015 - 01:12 PM.


#13 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:02 PM

Posted 08 June 2015 - 12:59 PM

Yes, anti-virus/anti-exploit can intervene at this point, but that goes with usual caveats (definitions need to be updated, attacker can bypass protections by using polymorphic copies of the malware, malware can be packed, etc.)

You probably confused anti-exploit with anti-malware - AE software do not rely on signatures. They monitor software for suspicious activities resembling exploit methods and block those when they detect something :)

#14 PresComm

PresComm

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:02 PM

Posted 08 June 2015 - 01:10 PM

I was referring to the first part of that slashed statement, the anti-virus part. Once Bedep is dropped, anti-virus could pick it up, but only if the signatures are up to date. Apologies. That statement was unclear. I will fix it.



#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:02 PM

Posted 08 June 2015 - 01:12 PM

I can confirm you that TrendMicro doesn't pick up Bedep or Vawtrak at all :P And Angler/Magnitude EK are still everywhere.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users