Drive-By Downloads Pose New and Dangerous Cyberthreat

Freeway drive-by motion blur

You've installed antivirus software on your computer and are careful to avoid sketchy websites. You should be safe from malware infection, correct? Unfortunately, new stealth techniques allow hackers to sneak malware past these rudimentary defenses in an approach known as "drive-by downloads." In fact, users often fall victim to drive-by download attacks without even knowing that anything untoward has occurred. Hackers use this technique to surreptitiously steal confidential information, disrupt system use or join systems to large botnets for use in distributed denial of service attacks.


How Drive-By Downloads Work


When an attacker launches a drive-by download attack, he first compromises a well-known website visited by the attacker's target audience. After gaining control of the site, the attacker is careful to leave both the look-and-feel of the site and its legitimate content intact. Instead of performing a defacement attack to claim credit for the hack in a public way, the attacker instead places malware files on a hidden portion of the site. This malware then lurks in the background, waiting for a vulnerable target to visit the site and fall victim to the attack. The most insidious aspect of drive-by downloads is that they attack users where they feel most safe — known and trusted websites.


One technique used by drive-by downloads to gain a foothold on visitor systems is simply by asking the end user for explicit permission to bypass security controls and install software on his or her device. Many end users see security warnings and ignore them out of habit, simply clicking what they think is necessary to get to the content they seek. Unfortunately, this wanton clicking is a prime avenue for drive-by downloads to gain a foothold on a system. Once the user grants the malware permission to run, it quickly gains full control of the system and carries out its malicious instructions.


Drive-by downloads may also take a more devious path to gain a foothold on systems – exploiting a web browser vulnerability. Web browsers are complex pieces of software that make use of many third-party add-ins, such as Adobe Flash and Microsoft Silverlight, to display many different forms of content. Security researchers, some with benevolent intent and some with more malicious purposes in mind, seek out these vulnerabilities and identify those that may compromise a system.


Then begins the race — attackers write malware that exploits the vulnerability while software companies rush to release a security update that corrects the problem. If an attacker can launch an exploit against a vulnerable system before the patch is released, then they've successfully engaged in a zero-day exploit against which there is little defense.


Drive-by downloads that exploit these zero-day vulnerabilities are among the most difficult attacks to counter. Users with vulnerable systems visiting a site that exploits a zero-day vulnerability may see no outward sign that their system is compromised. Antivirus software, blind to the previously unknown threat, fails to block the malware installation.


High profile websites occasionally fall victim to these attacks, turning millions of innocent visitors into unsuspecting victims. Several years ago, criminals gained control of Amnesty International's website, and used it to spread a drive-by download that exploited a zero-day vulnerability in Adobe Flash, infecting systems around the world.


Protecting Yourself Against Drive-By Downloads


Computer users can use common sense methods to protect themselves against drive-by downloads, but it is important to remember that no defense techniques is 100 percent effective, because of the nature of these attacks. The best approach is to use a layered security posture that has multiple overlapping controls designed to back each other up in the event a single control fails.


The most important thing that web users can do to protect themselves is to pay attention to security warnings and block unexpected attempts to install software, regardless of the site they are visiting. Remember, even trusted websites may participate in a drive-by download attack when a hacker gains illegitimate access to them and uses the site as a middleman.


In addition to practicing safe web browsing, users should ensure that they regularly patch their systems with all available security updates. While applying automatic operating system updates is important, it is not sufficient to protect a system against attack. Regular patching must extend to web browsers and the many add-ins used to enhance the browsing experience. A flaw in any of those components could provide a zero-day exploit the access it needs to infect a system.


Preventing Your Website From Participating


Security breach concept

Website administrators play an important role in reducing the likelihood of drive-by download attacks. Successful attacks require compromising known, trusted websites. Administrators should take steps to ensure that their sites are protected against common attacks. Just as with endpoint systems, web server administrators must ensure that systems receive security patches promptly. The delay between the time a vendor releases a patch and the administrator updates the server is a critical window of vulnerability where an attacker can compromise the server and install drive-by download malware.


Many attacks against websites bypass operating system security by exploiting custom application code written by web developers within an organization. Developers and system administrators should understand the risks posed by SQL Injection, buffer overflows and other web application attacks.


One great source of information on these vulnerabilities is the OWASP Top Ten list of web application security flaws. Administrators should schedule regular vulnerability scans that automatically monitor systems for both operating system and application flaws that might provide attackers an entry point onto the web server. Correcting these issues quickly limits the probability that an attacker will use the site as a launching point for a drive-by download attack.


Drive-by downloads are a high-risk, scary scenario. Imagine the possibilities if one of the world's most-visited websites, such as Wikipedia, CNN or ESPN, began inadvertently distributing malware via a zero-day attack. The attacker behind this doomsday scenario could quickly gain control of a significant number of the world's computers. For this reason, both end users and web server administrators should pay careful attention to security controls and armor their systems against drive-by downloads.


Would you like more insight into the history of hacking? Check out Calvin's other articles about historical hackery:
About the Author

Mike Chapple is Senior Director for IT Service Delivery at the University of Notre Dame. Mike is CISSP certified and holds bachelor’s and doctoral degrees in computer science and engineering from Notre Dame, with a master’s degree in computer science from the University of Idaho and an MBA from Auburn University.