||As Internet plays an important role for more people in their life, more malicious attackers have changed the targets from web servers of enterprises or organizations to personal computer users by infecting computers with malware or adware for financial gains. In order to compromise the computers of end users which usually don’t provide popular services for traditional infection routine, web-based attack has become an effective method to infect personal computers. In recently years, a notorious web-based attack mechanism, called “drive-by downloads”, makes numbers of hosts infected by malware. Attackers inject malicious contents into webpage stored in vulnerable web server via common attacking techniques like SQL injection. Victims then visit these webpage without alertness because these malicious contents are invisible to them except that they check the source code carefully. When vulnerable browsers read these malicious contests, they secretly download and automatically install harmful binaries in background.|
This paper introduces a browser-side solution to prevent web browsers from executing binaries downloaded by drive-by downloads. We do not have to analyze the source code of webpage but focus on blocking browsers from executing the binary which has the “secretly download” characteristic. This solution currently works on Internet Explorer 7.0 on Microsoft Windows with low overhead and low false rate.
|| X-Force 2008 Annual Report, http://www-935.ibm.com/services/us/iss/xforce/|
 N. Provos, D. McNamee, P. Mavrommatis, K. Wang and N. Modadugu, " The Ghost In The Browser: Analysis of Web-based Malware", In Proceedings of the first USENIX workshop on hot topics in Botnets (HotBots’07). (April 007).
 N. Provos, P. Mavrommatis, M. Rajab and F. Monrose, "All Your iFRAMEs Point to Us", In 17th USENIX Security Symposium, pp. 1–15, 2008
 M. Polychronakis, P. Mavrommatis and N. Provos, "Ghost turns Zombie: Exploring the Life Cycle of Web-based Malware". In Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET) (April 00 ).
 Norton Safe Web, http://safeweb.norton.com/
 McAFee SiteAdvisor, http://www.siteadvisor.com/
 Trend Micro’s TrendProtect, http://www.trendsecure.com/portal/en-US/tools/security_tools/trendprotect
 P. Ratanaworabhan, B. Livshits and B. Zorn, "Nozzle: A Defense Against Heap-spraying Code Injection Attacks", Microsoft Research Technical Report MSR-TR-2008-176
 Microsoft Security Research & Defense, http://blogs.technet.com/srd/archive/2008/02/06/The-Kill_2D00_Bit-FAQ_3A00_-Part-1-of-3.aspx
 R. Repasi and S. Clausen, "Providing a Rating for a Web Site Based on Weighted User Feedback”, United States Patent Application Publication, US 2007/0271246
 Security Policy Settings on Windows Vista, http://technet.microsoft.com/en-us/library/cc722034(WS.10).aspx
 NetApplications Company News (December 1, 2008), http://www.netapplications.com/newsarticle.aspx?nid=45
 National Vulnerability Database, http://nvd.nist.gov/
 The Component Object Model: A Technical Overview, http://msdn.microsoft.com/en-us/library/ms809980.aspx
 Detours, http://research.microsoft.com/en-us/projects/detours/
 Abhishek Singh, “Portable Executable File Format”, Identifying Malicious Code Through Reverse Engineering, Advances in Information Security, Springer US
 Named Pipes, http://msdn.microsoft.com/en-us/library/aa365590(VS.85).aspx