Understanding and mitigating against drive-by-downloads

By January 18, 2019 No Comments

Drive-by-downloads are some of the most dangerous forms of attack as they can creep in under the radar without users noticing they’ve been infected. Here’s how you can protect yourself.

The term “drive-by download” refers to the unintentional download of malicious code or malware onto a device. This code can then be used to do anything from steal personal information to inject banking Trojans, or even to introduce exploit kits and other malware to endpoints.

What makes this type of attack stand out as so different from other forms of cyber attack is that it requires no interaction from the user – the malware is executed simply by the users visiting a website. More often that not users are directed to these sites via a phishing email that includes a link or via a social media post from someone they see as a trusted source.

One of the most common routes for these drive-by downloads to be delivered is via the antivirus pop-up. Here, a visit to infected site trigger a pop-up warning that your computer is infected with a virus and offering a free scan or software download to fix it. The catch being that when you click on the pop up it actually installs malware rather than removes it.

The biggest threats are the ones independent of any such user interaction. Here cybercriminals target insecure, vulnerable or out-dated apps in browsers to automatically download malicious files onto the victim’s computer without them being aware. Most browsers today are complex pieces of software, and with so many plugins available it’s easy to see where the weaknesses can start to appear.

However, more worryingly, we have seen a growth in an altogether more sinister form of drive-by attack… malvertising. This exploits infected and rogue advertising networks to deliver malicious payloads when users click on seemingly legitimate adverts, so you wouldn’t need to be directed to the site at all you could just stumble upon it.

So how does a drive-by-download work?

Drive-by-downloads tend to use short pieces of code that are designed to slip unnoticed past most simple defences. The reality is that the code rarely needs to be that complex as in most cases it is used just to connect to another computer that then introduces the rest of the code it needs to infect the device.

Some of the more notable drive-by-download attacks of the past few year have included:

  • Cybercriminal group Lurk, a group known for stealthy and fileless infections, exploited web browser vulnerabilities for their drive-by download attacks. Malicious iframecontent was injected to high-profile Russian websites, which then served as key points  to attack unsuspecting end users
  • A cyberespionage group called Patchwork (or Dropping Elephant) created a fake social video website called YoukuTudou to target victims in China by getting them to download and execute an xRAT Trojan under the guise of an Adobe Flash Player update.

How do we protect against drive-by download infections?

Here are four easy to implement steps you can take to defend against drive-by downloads

1/ Start at the source
By applying mitigation strategies recommend for dealing with phishing attacks  you can stop a large amount of these attacks as it will prevent users being directed to drive-by sites in the first place (see article on Phishing here). Just remember that links to infected sites can also come from social networks and instant messages.

2/ Implement a layered approach
Having layers of security in place will put you in a strong position against unwitting infection by drive-by downloads. By basing this around a core of web protection, which blocks users from going to known malicious sites, you will greatly reduce your threat surface. A really good system will have regularly updated blacklists.

3/ Keep patching

Most drive-by downloads rely on vulnerabilities in web browsers and plugins. Regularly updating or patching apps, software, browsers and operating systems is a powerful mitigation technique.

4/ Reduce the administrative surface
This is a common theme when dealing with any form of malicious attack: remove administrative privileges where they are not absolutely essential to workflow. Most malware needs access to administrative privileges in order to execute and  spread across networks, by removing these on your endpoints organisations can prevent the majority of drive-by-download threats from executing successfully.