Cybersecurity
Updated 13 days ago | GitHub

Drive By Downloads

Drive-By Download Attacks are when an attacker can get a user to download software by simply visiting a website. The user only has to “drive-by” for the download to take place.

There are many channels for distributing drive-by downloads. Online advertising networks were once the most popular. An attacker would sneak a malicious ad into an ad network and it would be widely distributed by reputable, high-traffic sites. Starting around 2012, additional quality controls were put in place to make it more difficult. Sites which serve lower-quality ads with less quality control still exist. Often these begin with a pop-up window telling the user that a virus has been detected on their computer and offering to perform a free virus scan. Another popular way to bring in victims is to send out phishing emails with links to attacker-controlled websites.

The most dangerous type of distribution is from third-party websites which have been compromised by attackers and perform drive-by downloads on all of their visitors.

Drive-By Download Process

A user visits a compromised website. The website either sends a background request or performs a request redirect to an attacker-controlled website. This can be done quietly without alerting the user by using JavaScript and an HTML iframe. The request loads an “exploit kit” which probes the user for a large number of known vulnerabilities in their operating system, browser, or browser plug-ins. PDF readers, media players, and the browser’s own JavaScript and rendering engines are common targets. Historically, the Adobe Flash Player and the Java browser plug-in were the most heavily exploited targets, but both have since been retired: Flash reached end-of-life on December 31, 2020, and Oracle removed the Java browser plug-in starting with JDK 11 in 2018.

Once the exploit has been identified, it can use it to force the user’s browser to download a malware “payload”. The payload might display ads in the user’s browser, make their computer part of a botnet, log keystrokes or steal credentials, hijack banking sessions, install ransomware, or install a backdoor to allow the attacker future access.

Examples

“Mac Flashback”

In March 2012, attackers created a plugin for use with WordPress blogs which secretly opened up any blog that installed it to malware infection. Any user who visited an infected blog was redirected to an attacker-controlled website. The malicious site first attempted a drive-by download using exploits for the Mac operating system. If the drive-by download failed, it displayed a screen asking the user to install fake Apple software (which also downloaded the same malware). The payload was malware which infected the user’s browser and replaced any web ads on the page with ads which would make money for the attacker. (Relatively harmless considering what it could have done instead.) The attack was successful in infecting an estimated 600,000 Macs.

NBC.com drive-by downloads

In February 2013, attackers compromised the NBC.com website and used iframes to serve drive-by downloads of the Citadel Trojan malware, which steals personal and financial information. While investigating and recovering from the security breach, they discovered that their web servers were also providing drive-by downloads of the ZeroAccess malware, which modifies search results to generate pay-per-click ad revenue.

Drive-By Download Preventions

The best defense against drive-by downloads is to turn on automatic software updates for the operating system, web browser, and all plugins. Attackers often use recently announced exploits and users who are slow to upgrade are vulnerable. In addition, it is prudent to remove any browser extensions you do not need, since each one expands the attack surface. Users can also install an extension such as NoScript which blocks JavaScript and other active content by default and selectively allows it on trusted sites. Some browsers will even warn users before they visit websites which are known to be compromised.

Users should not be logged into their computers as admins. This is an example of the Principle of Least Privilege—a user does not need admin permissions for most tasks. By not being an admin, it limits the read, write, and execute permissions which are available to malware and limits any damage to the user account only.

Because drive-by downloads put viruses and malware on a computer, an anti-virus program can help to detect and neutralize the threat if the download succeeds.