Can you get a virus/malware just by visiting a website?

Post Reply
virtualmod
Site Admin
Posts: 2928
Joined: Wed Dec 11, 2019 8:31 am

Can you get a virus/malware just by visiting a website?

Post by virtualmod »

Malware/virus can't infect my computer unless I open the file, right?
Yes, it's entirely possible to get infected by simply visiting a website. Most commonly via what we call "Exploit Kits". Right now, EK are used to deliver a lot of dangerous malware (such as banking trojans and Cryptoware) to computers worldwide.
If the file pushed on your system is already known to your Antivirus or Antimalware (in its database) then it's detectable. If it's not, it won't do anything. And we all know that no products have a 100% detection ratio. There is no antivirus software that can detect all malware in the world. Some antivurs program can detect something that other still can't.
Duch attacks are called "drive-bys" or "exploits" and commonly target java, flash and silverlight plugins as well as adobe reader and the browser internet explorer. Exploits also can attack media player software and all the other common browsers (chrome, firefox and all the rest). Fortunately there are some ways to make it much harder for drive-by attacks to infect you.
Even if it's a well known malware, cybercriminals can use a packer (read: encrypt the malware) to make it FUD (fully undetectable) to antivirus and antimalware software that rely on signatures. This can be defeated by the use of behavioral analysis (Emsisoft's Behavior Blocker), sandbox (Sandboxie, Comodo Internet Security's Defense+) or rollback (Kaspersky's System Watcher).
Users are more 21 times more likely to get hit with malware from online shopping sites and 27 more times likely with a search engine than if they'd gone to a counterfeit software site, according to Cisco.

If it is downloaded wouldn't for example chrome browser show the file downloading in the download bar? also how can it execute by it's self?
It uses exploits to download and execute undetected. Malware exploit files are small files, only a few kilobytes, if you have download speeds of 0.5 Mb per second they would download so fast that there wouldn't even be time to show a "downloading" bar, also exploits do not download in the same way as normal file downloads, they take other routes so wouldn't be counted by the browser as downloads and put into any download history it keeps. The self-execution of exploit files happens because of the exploit methods, these basically let them bypass normal downloading and opening entirely, they download themselves and immediately run themselves.

What to do to secure my computer?
Always make sure your browser is up to date, and the plugins within your browser as well. Updates to browsers and plugins patch vulnerabilities so an old un-updated browser will be vulnerable to most exploits in use while an up-to-date browser will not be vulnerable to recently developed exploits. IE is the most vulnerable, firefox and chrome are both far more secure but neither is perfect.
Deactivate all your plugins or set them as "click to play", loads more exploits exist which attack flash, java and silverlight as compared to the lower (but still terrifyingly large) number of exploits which target the browsers themselves. If you disable plugins you don't use, and those which you sometimes use you set as "click to play" or " ask to activate", then exploits which attack plugins are less of a danger to you. Firefox makes it easy to disable plugns or set them as "ask to activate", chrome also makes it fairy easy, these days it is set up to do this by going to "sandwich button"-->settings-->show advanced settings-->content settings-->let me choose when to run plugin content. I don't know if IE lets you disable plugins like this or set them only to run when you approve them.
Run a scriptblocker, this will protect you from exploits on the page you are visiting, and from exploits on other domains which are trying (but which the script blocker will stop) from loading content onto the page you are on. A scriptblocker also blocks adverts as a side-effect although you might want to run an adblocker as well alongside it. Noscript is script blocker for firefox.
https://en.wikipedia.org/wiki/NoScript
A scriptblocker like noscript should make drive-bys impossible when you have it turned on, but sometimes you will need to allow some things through it for some things (videos mostly) on pages to work, if you only allow things from very trustworthy domains then it will keep you very extremely safe. A scriptblocker prevents exploits before they can begin it's an "anything the user doesn't allow deliberately is by default forbidden" type of security solution.
Run some sort of specialised anti-exploit protection, malwarebytes anti exploit does this, it is a free program which blocks common exploit methods. This means that it can protect against unknown viruses because it blocks anything that looks like an exploit without needing to worry about precisely what the payload is. This sort of program acts as a layer "behind" your browser whereas things like noscript and adblockers act as layers "infront" of your browser. MBAE works well in combination with noscript and firefox.
Keep your antivirus running as it is, run a realtime protection antimalware alongside it if you can. An antivirus and antimalware act as another layer behind any specialised anti-exploit protection you have.
For futher protection you can also run witelisting software which prevents any exe file which you have not previously approved from being able to execute.
The key thing with protecting yourself from exploits is to use "anything not allowed by the user is forbidden" types of security as well as the standard method an antivirus uses "anything not matching this database of known nasties is allowed". Things like noscript and mabe, as well as whitelisting programs, use this first method and therefore don't need to recognise every virus, they just stop anything which the user doesn't choose to allow. A brand new virus would not be recognised by antivirus and antimalware programs but it wouldn't be able to infect a noscript user unless they allowed the object or script delivering it to run, and it wouldn't be able to infect an mbae user unless it was using some uterly new and unrecognised exploit method. If you follow all the suggestions mentioned here being exploited should be impossible, note that you still need your antivirus running as well because mbae and noscript won't protect you from files you do deliberatly open and run.
virtualmod
Site Admin
Posts: 2928
Joined: Wed Dec 11, 2019 8:31 am

Re: Can you get a virus/malware just by visiting a website?

Post by virtualmod »

VirusBulletin reported that cyber criminals now spread around Cryptolocker / CryptoWall via YouTube. The cyber criminals purchase advertising space and use exploit kits to infect workstations, malware researchers Vadim Kotov and Rahul Kashyap discovered.

They ran into this while checking YouTube and website banners for situations where malware writers had in fact bought space to spread their malware on unpatched computers. The researchers wrote: "We conclude that ad networks could be leveraged to aid, or even be substituted for current exploit kits."

YouTube Ad space turns out to be a cheap and efficient way to spread browser malware while using the powerful YouTube geo-targeting features. Unfortunately, this is a highly profitable criminal business model. The researchers stated there was very little advertising networks could do to prevent the attacks. Obviously YouTube (Google) is going to try hard but preventing this is not easy.

Now, spreading malware via ad-networks in itself is nothing new. We have seen this since 2010 where scareware was promoted as "Free Security Scans" remember? The free scan found a host of "problems" and sold you a rip-off bogus AV product.

What is new here is this: clicking on a thumbnail after the first video caused an exploit kit to kick in, finding a known unpatched vulnerability, and once found, executes ransomware code which locks all files and extorts $500. These exploit kits check for hundreds of known holes in no time, and this "ad-network" threat just escalated to a much higher level.

So, there are a few best-practice points to consider here. Patching end-user workstations as soon as possible gets higher importance. I would look at either blocking YouTube at the edge, and/or deploying more generic browser ad blocker plug-ins, consider an application whitelisting layer, and of course, you guessed it, educate your users!
virtualmod
Site Admin
Posts: 2928
Joined: Wed Dec 11, 2019 8:31 am

Re: Can you get a virus/malware just by visiting a website?

Post by virtualmod »

Brad Duncan's website provides great technical detail of the step-by-step machinery that goes on behind the scenes during an exploit kit attack, as does Kafeine's blog. See examples of the Angler EK pushing the Bedep Trojan below:
http://www.malware-traffic-analysis.net ... index.html
http://malware.dontneedcoffee.com/2015/ ... flash.html
Stepping through his post, you can see that just by visiting a site that points to "flash[.]casapiti[.]com[.]ar", or by visiting that site directly, you will be redirected to a page (haitallistakinaglaozonia[.]renteriaonline[.]com) that hosts some files that are designed to exploit vulnerabilities in your browser (those are the 3 items in the "ANGLER EK" section, the GET requests.) The browser executes those files, because that is what it is supposed to do. The files themselves exploit vulnerabilities in the browser, which then allows the attacker to do what it is they want to do. In the cases covered by Brad and Kafeine, the Bedep Trojan is pushed onto the machine. Yes, anti-virus can intervene at this point, once Bedep is dropped onto the machine, but that goes with usual caveats (attacker can bypass protections by using polymorphic copies of the malware, malware can be packed, etc.) You should instead be relying on anti-exploit technologies to prevent the exploit in the first place. Again, these can be bypassed. The important thing to note here is that the only action that the user carried out was browsing to a website. The browser and the EK took care of everything else.
virtualmod
Site Admin
Posts: 2928
Joined: Wed Dec 11, 2019 8:31 am

Re: Can you get a virus/malware just by visiting a website?

Post by virtualmod »

Emsisoft Anti-Malware and Internet Security for example will detect and block the malware when it attempts to execute its functions.
Webroot SecureAnywhere monitors the program and if it sees that the program is malware, it will attempt to remove the malware and rollback all changes done by the malware.
Still another like Comodo Internet Security offers the option to sandbox processes that either the program or the user does not recognize, which limits the damage done by malware.
virtualmod
Site Admin
Posts: 2928
Joined: Wed Dec 11, 2019 8:31 am

Re: Can you get a virus/malware just by visiting a website?

Post by virtualmod »

Thanks to our developers we don't have any malwares or adverts which can harm your devices.
Do you have any stories about computer viruses? Share it in this thread.
Post Reply