Avira Scout, Drive-By Exploits and an Experiment – Updated Jan. 2017

Update January 2017

The experiment is finished – thanks a lot for participating!

IFrame detection is a way for us to improve Scout but it is not implemented yet. This concept is fighting other ideas for priority now.

Original Post

Do you know what a drive-by exploit is and how it works? Read on to find out – and afterwards you maybe even want to help us with a browser experiment!

Drive-by exploits are the reason, iframes have a bad reputation

Drive-by exploits are hosted on an attacker-owned server on the internet. But no user would intentionally visit those servers that infect his computer. To ensure a high infection rate the attackers have to come up with something else: they create landing pads. Innocent looking sites which were hacked and modified to re-direct the browser to the attacking page. Thousands of pages get infected via malware attacks. Very often those pages are advertising sites that got infected (Ad blockers can protect you here!).

Said re-directions cannot be observed by the user while surfing. Suddenly, Malware. Thousands of them! That’s how iframes got a bad reputation: They are a standard way to include content from other pages into your homepage. Maps, videos, etc. But sadly they are also simple to use as re-directors by the malware authors.

Help us to help you

We decided to start a new experiment to learn more about the misused iframes in order to experiment with novel ways to detect them. The best thing though: If you want to, you can join the experiment. How so? Well, in your Avira browser you will find a new Logo:

avira_prototype_icon_128
Just click the check box and start surfing. That’s it. No magic involved! We will share our results directly in the extension and make you a part of the research crew.

We want to learn

  • Which iframes are used for legit reasons?
  • Is there a way to pre-filter most of them, as they do not contain malware?
  • Can our servers identify connections when combining the findings from several users (“reputation”)?
  • Do we have to send the host URL to our servers as well or would sending the contained iframe URLS be enough?
  • How can the client-to-server connections be minimized (for privacy reasons and to reduce our server cost)?
  • Is it possible to identify malicious iframes on the server side fast enough to block them from loading without impacting the user experience (perceived loading speed)?

Small print

  • It is not a security feature yet
  • We will send more data to our server than needed by the final product. We will collect:
    • The hosts you visit (Pro tip: You might want to install it in an experimental browser profile and not surf to “embarrassing” sites 😉 )
    • The iframes contained on those hosts
    • The version numbers of the browser and the extension
    • A random and unique ID for your installation. We want to estimate the number of daily users – to later calculate the needed bandwidth.

Click on the button, activate the extension. Surf to your normal pages. The extension will directly show you the embedded iframes (not all of them, but most). The pages and the contained iframes are uploaded to our servers, so maybe you will want to skip some of your most “embarrassing” pages. We will update the extension 2-3 times a month with new features.

I really hope you’ll use the extension regularly to also join in for the next stages of the experiment.

The very big picture

Avira is currently doing a new research project called BOB. It covers secure online banking. With the iframe experiment we hope to also get an answer concerning the question: “How many percent and which families of banking trojans infect the user by Drive-by Downloads”. There are other re-directions than just iframes and there are other infection vectors (like SPAM mails with links). But that’s another task for another day.

TL;DR:

We will add lots of new innovative features to the browser. They will be tested by conducting experiments like the one mentioned above.

For Science !
Thorsten Sick

Please note: This article relates to the Windows, Mac and Linux version of the Avira Scout browser.

This post is also available in: Italian

I use science to protect people. My name is Thorsten Sick and I do research projects at Avira. My last project was the ITES project where I experimented with Sandboxes, Sensors and Virtual Machines. Currently I am one of the developers of the new Avira Browser