在許多人的生活中，隨著網路扮演著越重要的角色，更多的惡意攻擊者為了財產利益改變了最終攻擊目標，從以往對商業或組織的網站或伺服器的攻擊改為攻擊一般使用者的個人電腦。由於終端使用者的電腦已不使用傳統的網路服務以提供攻擊者經由這些服務入侵電腦，網頁形態的攻擊已經成為現今最有效的入侵個人電腦的方式。最近幾年，一種著名的被稱為”Drive-by Downloads”的網頁攻擊機制已經造成了無數個人電腦被安裝惡意程式。攻擊者對有漏洞的網頁伺服器使用一些攻擊方式，例如資料隱碼攻擊(SQL injection)，對存放在伺服器上的網頁注入有害的網頁程式碼。除非受害者仔細的檢查網頁原始碼，否則瀏覽這些網頁時並不會有所警覺，因為被注入的網頁程式碼並不會顯現在網頁上。當有漏洞的瀏覽器讀到被注入的網頁程式碼時，它會秘密下載惡意程式並且在背景自動執行那些惡意程式。
本篇論文介紹了一種在瀏覽器端的方法來阻止執行經由Drive-by Downloads所下載下來的執行檔。我們不需要去分析網頁的內容，只會阻擋瀏覽器去執行那些被秘密下載下來的執行檔。目前這個解決方案適用在Windows上的Internet Explorer 7.0以下的瀏覽器，而且造成很低的額外需求，同時也有很低的誤判例外。

As Internet plays an important role for more people in their life, more malicious attackers have changed the targets from web servers of enterprises or organizations to personal computer users by infecting computers with malware or adware for financial gains. In order to compromise the computers of end users which usually don’t provide popular services for traditional infection routine, web-based attack has become an effective method to infect personal computers. In recently years, a notorious web-based attack mechanism, called “drive-by downloads”, makes numbers of hosts infected by malware. Attackers inject malicious contents into webpage stored in vulnerable web server via common attacking techniques like SQL injection. Victims then visit these webpage without alertness because these malicious contents are invisible to them except that they check the source code carefully. When vulnerable browsers read these malicious contests, they secretly download and automatically install harmful binaries in background.
This paper introduces a browser-side solution to prevent web browsers from executing binaries downloaded by drive-by downloads. We do not have to analyze the source code of webpage but focus on blocking browsers from executing the binary which has the “secretly download” characteristic. This solution currently works on Internet Explorer 7.0 on Microsoft Windows with low overhead and low false rate.

[1] X-Force 2008 Annual Report, http://www-935.ibm.com/services/us/iss/xforce/
[2] N. Provos, D. McNamee, P. Mavrommatis, K. Wang and N. Modadugu, " The Ghost In The Browser: Analysis of Web-based Malware", In Proceedings of the first USENIX workshop on hot topics in Botnets (HotBots’07). (April 007).
[3] N. Provos, P. Mavrommatis, M. Rajab and F. Monrose, "All Your iFRAMEs Point to Us", In 17th USENIX Security Symposium, pp. 1–15, 2008
[4] M. Polychronakis, P. Mavrommatis and N. Provos, "Ghost turns Zombie: Exploring the Life Cycle of Web-based Malware". In Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET) (April 00 ).
[5] Norton Safe Web, http://safeweb.norton.com/
[6] McAFee SiteAdvisor, http://www.siteadvisor.com/
[7] Trend Micro’s TrendProtect, http://www.trendsecure.com/portal/en-US/tools/security_tools/trendprotect
[8] P. Ratanaworabhan, B. Livshits and B. Zorn, "Nozzle: A Defense Against Heap-spraying Code Injection Attacks", Microsoft Research Technical Report MSR-TR-2008-176
[9] Microsoft Security Research & Defense, http://blogs.technet.com/srd/archive/2008/02/06/The-Kill_2D00_Bit-FAQ_3A00_-Part-1-of-3.aspx
[10] R. Repasi and S. Clausen, "Providing a Rating for a Web Site Based on Weighted User Feedback”, United States Patent Application Publication, US 2007/0271246
[11] Security Policy Settings on Windows Vista, http://technet.microsoft.com/en-us/library/cc722034(WS.10).aspx
[12] NetApplications Company News (December 1, 2008), http://www.netapplications.com/newsarticle.aspx?nid=45
[13] National Vulnerability Database, http://nvd.nist.gov/
[14] The Component Object Model: A Technical Overview, http://msdn.microsoft.com/en-us/library/ms809980.aspx
[15] Detours, http://research.microsoft.com/en-us/projects/detours/
[16] Abhishek Singh, “Portable Executable File Format”, Identifying Malicious Code Through Reverse Engineering, Advances in Information Security, Springer US
[17] Named Pipes, http://msdn.microsoft.com/en-us/library/aa365590(VS.85).aspx