Slijede razlike između dviju inačica stranice.
| Novija izmjena | Starija izmjena | ||
|
racfor_wiki:mrezna_forenzika:drive-by_download_attack [2020/01/10 01:52] ytulet stvoreno |
racfor_wiki:mrezna_forenzika:drive-by_download_attack [2024/12/05 12:24] (trenutno) |
||
|---|---|---|---|
| Redak 12: | Redak 12: | ||
| \\ | \\ | ||
| The drive-by download attack is a popular method used by cybercriminals to spread malwares on victims computers. Attacker contaminates victim' | The drive-by download attack is a popular method used by cybercriminals to spread malwares on victims computers. Attacker contaminates victim' | ||
| - | In this seminar, we will learn how to identify this type of attack and understand how it works. We will see the different phases of the attack to understand how it is possible to detect it. The purpose of this seminar is to provide the reader with tips to prevent against drive-by download attacks.\\ | + | In this seminar, we will learn how to identify this type of attack and understand how it works. We will see the different phases of the attack to understand how it is possible to detect it. The purpose of this seminar is to provide the reader with tips to prevent against drive-by download attacks. |
| - | <font 18px/ | + | <font 18px/ |
| - | - <font 16px/ | + | |
| + | | ||
| | | ||
| The purpose of this attack is to install malware on a victim computer in order to retreive data from it. The attacker will weaponize a site with an exploit (JavaScript, | The purpose of this attack is to install malware on a victim computer in order to retreive data from it. The attacker will weaponize a site with an exploit (JavaScript, | ||
| - | The malware will open a connection with the attacker and permit remote access to the victim computer. With this access, the attacker will gather data that he need (paswords, data, ...). Attacker will store data on an external website to gather it later on his own computer. \\ | + | The malware will open a connection with the attacker and permit remote access to the victim computer. With this access, the attacker will gather data that he need (paswords, data, …). Attacker will store data on an external website to gather it later on his own computer. \\ |
| - | With the access of the victim computer, attacker can also install another malicious malware or programs like spywares for example. | + | With the access of the victim computer, attacker can also install another malicious malware or programs like spywares for example. |
| \\ <font 18px/ | \\ <font 18px/ | ||
| Redak 42: | Redak 43: | ||
| \\ <font 18px/ | \\ <font 18px/ | ||
| - | |||
| - | <font 16px/ | ||
| To investigate this kind of attack, we will use the RSA NetWitness software. We can see on this image how it is difficult to detect it without this software. \\ | To investigate this kind of attack, we will use the RSA NetWitness software. We can see on this image how it is difficult to detect it without this software. \\ | ||
| Redak 77: | Redak 76: | ||
| When searching on the metadata, we can see that a “java.exe” file was downloaded. The software prevent us from a risk caused by an anormal “exe” file. We didn’t intentionaly download this file and the software detect it as a malware. \\ \\ | When searching on the metadata, we can see that a “java.exe” file was downloaded. The software prevent us from a risk caused by an anormal “exe” file. We didn’t intentionaly download this file and the software detect it as a malware. \\ \\ | ||
| By continuing the investigation, | By continuing the investigation, | ||
| - | Unfortunatly, | + | Unfortunatly, |
| - | The most effective technique is to simply add an script-blocker extension to your browser. For exemple “NoScript” extension can be added to firefox browser so that you can choose to disable all the scripts on the pages that you browse except scripts that are essential for the page functionalities. | + | |
| + | The most effective technique is to simply add an script-blocker extension to your browser. For exemple “NoScript” extension can be added to firefox browser so that you can choose to disable all the scripts on the pages that you browse except scripts that are essential for the page functionalities. | ||
| We can take into account that scripts-blockers extensions will permit to save bandwidth because we now also block advertising script that display pop-up on your screen. \\ | We can take into account that scripts-blockers extensions will permit to save bandwidth because we now also block advertising script that display pop-up on your screen. \\ | ||
| In addition, you have some others options that can increase a little bit more your safety on your computer : | In addition, you have some others options that can increase a little bit more your safety on your computer : | ||
| Redak 84: | Redak 85: | ||
| <font 16px/ | <font 16px/ | ||
| - | {{: | + | {{: |
| This image show the number of security failures used on the three most used internet browsers for initiate a drive-by download attack. Risks remains but your can see that certain security failures have been corrected over the versions. Updating your sofware is an easy and quickly way to increase your safety online. | This image show the number of security failures used on the three most used internet browsers for initiate a drive-by download attack. Risks remains but your can see that certain security failures have been corrected over the versions. Updating your sofware is an easy and quickly way to increase your safety online. | ||
| Redak 91: | Redak 92: | ||
| As we saw above, the better way to prevent drive-by download attacks is to use a extension blocker. It is also a good idea to sort the plugins that are installed on your browser. Indeed, we often have a lot of extension that gives permissions to developpers on ours internet browsers. It is a good idead to sort your plugins by asking you some basics question : “What permissions do I give to this plugin ? “, “Do I trust the developers of this plugin?”, … \\ | As we saw above, the better way to prevent drive-by download attacks is to use a extension blocker. It is also a good idea to sort the plugins that are installed on your browser. Indeed, we often have a lot of extension that gives permissions to developpers on ours internet browsers. It is a good idead to sort your plugins by asking you some basics question : “What permissions do I give to this plugin ? “, “Do I trust the developers of this plugin?”, … \\ | ||
| - | You have to keep in mind that the fewer plugins you have, the better your security is. \\ | + | You have to keep in mind that the fewer plugins you have, the better your security is. |
| - | As we saw, the downloads are sometimes initialized by the interraction with a pop-up window. In addition to making browsing the internet more pleasant, ad blockers can prevent drive-by donwload attacks. | + | |
| - | Using an administrator account when surfing on internet results in allowing malware to be downloaded without asking your permission. The same goes for malware on your computer. The latter can install malicious programs without asking your permission. You can fix this issue by using a non-privileged account for daily use and switch on privileged account only for installing your softwares. This behavior will greatly reduce your risk of undergoing a drive-by download attack. | + | \\ **<font 16px/ |
| - | Of course a firewall will never be foolproof but it can be effective if the thread you incounter on internet is well known. | + | As we saw, the downloads are sometimes initialized by the interraction with a pop-up window. In addition to making browsing the internet more pleasant, ad blockers can prevent drive-by donwload attacks. |
| - | A common mistake is to think that smarphones are safe from attack. Moreover, attackers can access more personals data on smarphone than your computer (GPS localisation, | + | |
| + | \\ **<font 16px/ | ||
| + | Using an administrator account when surfing on internet results in allowing malware to be downloaded without asking your permission. The same goes for malware on your computer. The latter can install malicious programs without asking your permission. You can fix this issue by using a non-privileged account for daily use and switch on privileged account only for installing your softwares. This behavior will greatly reduce your risk of undergoing a drive-by download attack. | ||
| + | |||
| + | \\ **<font 16px/ | ||
| + | Of course a firewall will never be foolproof but it can be effective if the thread you incounter on internet is well known. | ||
| + | |||
| + | \\ **<font 16px/ | ||
| + | A common mistake is to think that smarphones are safe from attack. Moreover, attackers can access more personals data on smarphone than your computer (GPS localisation, | ||
| + | |||
| + | \\ **<font 16px/ | ||
| Tools like BLADE (Block All Drive-by download Exploits) are designed to block drive-by download attacks. Theses sofware searches for malicious code. When the software detect this kind of code when trying to access a web page, it raise an alarm that will stop the request. | Tools like BLADE (Block All Drive-by download Exploits) are designed to block drive-by download attacks. Theses sofware searches for malicious code. When the software detect this kind of code when trying to access a web page, it raise an alarm that will stop the request. | ||
| - | | + | \\ <font 18px/ |
| - | In this seminar, we learned how a drive-by download attack takes place. We saw that it can be use for a lot of malicious purposes and it is important to put in place the means to prevent it. It is important to keep in mind that this type of attack is more and more frequently used by the cybercriminals. As we have seen, there are a number of ways to significantly limit the risks. In the event of a successful attack, we have seen that there are tools for tracing events to understand what the attacker did on our computer. | + | In this seminar, we learned how a drive-by download attack takes place. We saw that it can be use for a lot of malicious purposes and it is important to put in place the means to prevent it. It is important to keep in mind that this type of attack is more and more frequently used by the cybercriminals. As we have seen, there are a number of ways to significantly limit the risks. In the event of a successful attack, we have seen that there are tools for tracing events to understand what the attacker did on our computer. \\ |
| - | \\ | + | \\ \\ \\ \\ <font 18px/ |