2

I've been reading a lot on here about malicious downloads from browsing sites, drive by downloads, etc, but never heard talk about how the download happens, and how it would bypass the internal download of the browser. In most browsers you will be notified when you are downloading something, i.e., chrome shows all downloads at the bottom in it's own tray.

It seems to me that these malicious downloads are stealthy, which would mean that they would work around any built in browser downloader.

My question is, if this is indeed the case of getting around it, how is that possible, and what methods are being used to stop this, and is there anything we on the client can do?

If this isn't the case, then does that mean it downloads as a regular file, in which ignorant users will then run the program?

I've ran into a situation on someone I know's computer where they visited a site and they had additional extensions downloaded into their chrome browser that caused sketchy things such as a fake Google "new tab" page. So to me, it seems as if a lot of this can happen without the user allowing it (or they don't know they allowed it?).

EDIT: I found this question Do drive by download attacks include malicious file downloading?

Which doesn't exactly answer my question, but adds to it saying that a user would have to run a file, or malicious JS running, activeX, Java, etc, but I'm curious if there's a way around the downloaders, in that malicious code is downloaded to your machine. It also would seem the user might need to run it, but at the same time, maybe not... I guess it would depend on what the malicious code actually is, and what it's attacking you through? i.e., is it a file, or Java, or Adobe Flash, etc...

Community
  • 1
XaolingBao
  • 897
  • 2
  • 9
  • 21

2 Answers2

4

The important thing to understand here is that "browsing" as such is dangerous if your browser is vulnerable and you visit the wrong site. The problem has nothing (or little) to do with what most users call "downloading", i.e. the intentional download of a file in order to save it on disk for later use (like downloading a pdf, an exe, a picture or movie or whatever).

In order to understand what happens you need to think of what computer programs are. They are processes which run in memory. They accept input and produce output. I'm of course simplifying but you'll soon get the idea. Input is what you provide (mouse clicks, URL information, form data you fill in etc.). Output is mostly what is rendered in the browser window and what you consume through your eye and your brain.

Another input to the browser program is what the browser downloads from the site(s) you visited. Keep in mind that it can be hard to keep track of what is actually loaded from the site. The site might link hundreds of other sites in order to get pictures, styles, javascript, create ads, include facebook likes etc. etc.

Now how are computer programs compromised? Through malformed input in situations where programmers forgot to check input for correct format or made programming mistakes otherwise. In our case: If you visit the wrong site then it will send malformed html, css, malformed movie format, .... (whatever the hacker finds that can be exploited) to your browser hoping that you're using a vulnerable version. Then, in the browser process, a buffer overflow or similar happens and the hacker achieves RCE (remote code execution, which means he turns your browser into a tool of his will).

So in case the browser is vulnerable you don't need an intentional download in order to get hacked. If it's done well, you won't even notice when it happens.

Browser extensions usually make this worse. Generally, the more software you run and that processes external (unverified) input the bigger the attack surface becomes.

So what can you do?

  • Make sure your browser is patched up to date
  • Avoid stuff which is known to be vulnerable (flash player)
  • Avoid sites which look fishy
  • if you can, use virtualization technologies (use a browser in a virtual machine. Reset the VM image after each use)
kaidentity
  • 2,634
  • 13
  • 30
  • Thanks for the prospective. Once the browser is hijacked, how far does that go into the machine? I'm assuming if the machine is updated for the most part then you should be okay. Essentially, if the browser is closed, what are the chances of the malicious user still being able to do things? I would also assume that being connected remotely would pop up on applications such as Wireshark where we could see information being sent to and from the malicious user? – XaolingBao Jan 10 '17 at 12:23
  • First: How serious this is depends on how powerful your user is in the OS. If you have admin privileges then the malware can install a backdoor within milliseconds. Probably you can't close the browser fast enough. If you are not admin then the malware might try to escalate its rights to admin which can take time because it usually often cannot always be automated. – kaidentity Jan 10 '17 at 12:29
  • 1
    Second: If the hacker communicates with the malware in order to spy you out (or decide on what to do next) he can disguise the communication as http, DNS, whatever so you have no chance to see that and even intrusion detection systems are usually defenseless against this. So it is crucial to prevent all this from happening in the first place. – kaidentity Jan 10 '17 at 12:30
  • Well, even if it's disguised, if you see the information being sent should be legit, unless there is some sort of encryption, obfuscation going on that makes it seem like everything is normal, and then gets changed to normal on the enemy server? – XaolingBao Jan 11 '17 at 01:41
0

As a web developer, specifically a long-term maintainer of the download.js library (merely citing for relevance since i keep up with this stuff to keep it updated), i can assure you that downloads are NOT SUPPOSED to happen without consent. Sometimes they do:

  1. user has chooses to download or open automatically a certain file type, but that should not include executables. This is the "Always open files of this type" option, which can get you with word macros and whatnot.

  2. there is a flaw in a plugin, browser, or extension that allows the malicious page to use a non-regulated way of saving the file. Examples include old flash that could write directly to the hard drive, PDF exploits, and IE6's terrible "zone" system being mis-managed.

  3. normally harmless files can be made malicious: word macros, pdf reader exploits, even ill-behaved zip and audio files. Sometimes extension show these file on-browser, leading to a compromise because the user was not asked if showing it is acceptable.

  4. the user is tricked into running a full-on executable that they approved the download of, often under the guise of a game, video codec, sex tape, etc.

  5. email-based attacks try to hook into OS-internal script handlers, bypassing the browser's protections and sandboxing. This is where a jscript or powershell script fetches a larger payload from http to the temp folder and runs it.

In short, no they attacks no longer bypass the browser's defenses, they fool the user or employ non-browser methods.

dandavis
  • 2,658
  • 10
  • 16