Drive-By Downloads and How to Prevent Them

Drive-By Downloads and How to Prevent Them

Drive-By Downloads are one of the most common methods used by cybercriminals to install malware and gain unauthorized access to your device. To protect yourself from these dangerous attacks, it’s critical to know how they work, and what steps you can take to thwart them.

drive-by download

What is a Drive-By Download and How Do They Work?

When a computer becomes infected with malicious software simply by visiting a website, it’s known as a drive-by download. The industry calls this type of attack a “drive-by” download because the user doesn’t have to stop or click anywhere on the malicious page. Simply viewing the page is enough to cause the infection, which happens in the background and without the user’s knowledge or consent.

In a drive-by download attack, criminals compromise a website, often a legitimate one, by embedding or injecting malicious objects inside the web pages. The infections are invisible to the user, and range from malicious JavaScript code to iFrames, links, redirects, malvertisements, cross-site scripting, and other malicious elements.

When a user visits an infected web page, the user’s browser automatically loads the malicious code, which immediately scans the victim’s computer for security vulnerabilities in the operating system and other applications.

Security Holes

The sad reality is that virtually all applications have security holes. Although reputable software vendors provide updates to correct known vulnerabilities, the fixes don’t always get installed. Google found that just 38 percent of users automatically or immediately update their software when a new version is available. To make matters worse, cybercriminals are good at discovering security flaws before the vendor does, so there’s not always a fix available. That means there’s always a risk of a hacker finding and exploiting a weakness, even for those that immediately apply operating system or application fixes.

The list is endless, but here are a few prominent systems and applications that are commonly exploited by drive-by download attacks:

  • Old Operating Systems (Windows XP in particular)
  • Browsers (FireFox, Chrome, Opera, and others, especially out of date versions)
  • Out of date browser plug-ins
  • Early versions of Microsoft Office
  • Adobe/Shockwave Flash (ActiveX)
  • Adobe Reader
  • Foxit Reader
  • WinZip
  • 7-Zip
  • Microsoft Silverlight
  • Oracle Java

Not even security applications are immune to flaws.  CSO Online reported that numerous security products have serious vulnerabilities. The lesson here is that it’s extremely difficult, if not impossible, to develop vulnerability-free software, and hackers capitalize on that fact.

How a Drive-By Attack Unfolds

When the drive-by malware detects a vulnerability, it exploits it and infiltrates the system. The malicious code will attack the system in various ways. Here are some of the more common methods that cybercriminals will use to attack a system:

  • Installing keyloggers to capture and record the victim’s keystrokes.
  • Using ransomware to encrypt data on the device and demand payment for recover.
  • Deploying botnets that secretly transmit spam or malware to other computers and networks.
  • Installing droppers, or malware that’s designed to load more malware without detection.
  • Searching the victim’s data, applications, and configuration files for IDs, passwords, account information, and other sensitive information.  The malware can often find login credentials and other sensitive information stored in configuration files for browsers or other applications.
  • Installing man-in-the browser malware to capture, modify, or insert data into web forms, thus conducting unauthorized transactions without the victim’s knowledge.
  • Sending sensitive data files, photos, or other documents back to the hacker.
  • Creating a backdoor that enables the attacker to install additional malware, add or modify user accounts, and increase privilege levels.

Protecting Yourself from Drive-By Downloads

Drive-By downloads are a major concern, but there are several steps end-users can take to protect themselves from these types of attacks:

  • Update your software quickly and constantly. When a software maker releases an update, cybercriminals will rush to reverse engineer it and target Internet users who have not applied the update. Configure your operating system, browsers, and all applications that offer it, to update automatically.
  • Remove unnecessary software and plug-ins. Computers tend to fill up with unnecessary applications and browser plug-ins that are neither useful nor maintained by the developers. By removing them you significantly reduce your chances of a data breach.
  • Stop using a privileged account for day-to-day work. Whenever you browse the Internet using a privileged account, drive-by (and other malicious software) can install itself without your explicit permission. Keep two separate accounts on your computer. Use a non-privileged account for common day-to-day work and all online activities.  Use a different, administrator account for installing software, and only for that purpose. Using the web without administrative rights greatly reduces both the risk of a successful drive-by download and the potential damage should one succeed.
  • Use a firewall.  Although a firewall won’t necessarily stop sophisticated malware, a firewall can be effective in detecting and blocking known threats.
  • Disable Java and JavaScript. Where possible, disable Java and JavaScript.  Put trusted sites that require it on a whitelist.
  • Use web-filtering software. Turn on security features that monitor the websites you are connecting to. Configure these security controls to warn you when attempting to access sites that might contain malicious drive-by download and other attacks.
  • Install an ad blocker. Drive-by download attacks frequently use ads as infection vectors. Installing an ad blocker will help reduce exposure to these types of attack.

Summary

Drive-by downloads are especially pernicious. Their proliferation is mainly due to the increased availability of affordable exploit kits that allow cybercriminals to easily compromise websites. Such exploit kits are highly refined and automated, which makes it easy for cybercriminals to distribute them across as many web servers as possible.

The growing complexity of internet browsers also contributes to the increase in drive-by download attacks. As the number of plug-ins, add-ons and browser versions proliferate, there are more weaknesses for cybercriminals to exploit.

However, despite the dangers, there are several relatively simple steps that end-users can take to protect themselves from drive-by downloads. Likewise, organizations can deploy advanced malware protection solutions that are quite effective at detecting and blocking drive-by downloads.

Brian Laing

Brian Laing

For more than 20 years, Brian Laing has shared his strategic business vision and technical leadership with a range of start-ups and established companies in various executive level roles. The author of “APT for Dummies,” he was previously vice president of AhnLab, where he directed the US operations of the internationally known security and software leader. Brian previously founded Hive Media where he served as CEO. He co-founded RedSeal Systems, where he conceived the overall design and features of the product and was granted two patents related to network security. He was also founder and CEO of self-funded Blade Software, who released the industry’s first commercial IPS/FW testing tool.
Brian Laing

Latest posts by Brian Laing (see all)