HOME

TheInfoList



Click Here for Items Related To - Drive-by download
OR:
Drive-by download on:   [Wikipedia]   [Google]   [Amazon]

Drive-by download is of two types, each concerning the unintended
download In computer networks, download means to ''receive'' data from a remote system, typically a server such as a web server, an FTP server, an email server, or other similar system. This contrasts with uploading, where data is ''sent to'' a remote ...
of computer
software Software is a set of computer programs and associated software documentation, documentation and data (computing), data. This is in contrast to Computer hardware, hardware, from which the system is built and which actually performs the work. ...
from the
Internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...
: # Authorized drive-by downloads are downloads which a person has authorized but without understanding the consequences (e.g. downloads which install an unknown or counterfeit
executable program In computing, executable code, an executable file, or an executable program, sometimes simply referred to as an executable or binary, causes a computer "to perform indicated tasks according to encoded instructions", as opposed to a data file ...
,
ActiveX ActiveX is a deprecated software framework created by Microsoft that adapts its earlier Component Object Model (COM) and Object Linking and Embedding (OLE) technologies for content downloaded from a network, particularly from the World Wide We ...
component, or
Java applet Java applets were small applications written in the Java programming language, or another programming language that compiles to Java bytecode, and delivered to users in the form of Java bytecode. The user launched the Java applet from a ...
). # Unauthorized drive-by downloads are downloads which happen without a person's knowledge, often a computer virus,
spyware Spyware (a portmanteau for spying software) is software with malicious behaviour that aims to gather information about a person or organization and send it to another entity in a way that harms the user—for example, by violating their priva ...
, malware, or crimeware. Drive-by downloads may happen when visiting a
website A website (also written as a web site) is a collection of web pages and related content that is identified by a common domain name and published on at least one web server. Examples of notable websites are Google, Facebook, Amazon, and Wi ...
, opening an e-mail attachment or clicking a link, or clicking on a deceptive pop-up window: by clicking on the window in the mistaken belief that, for example, an error report from the computer's operating system itself is being acknowledged or a seemingly innocuous advertisement pop-up is being dismissed. In such cases, the "supplier" may claim that the user "consented" to the download, although the user was in fact unaware of having started an unwanted or malicious software download. Similarly if a person is visiting a site with malicious content, the person may become victim to a drive-by download attack. That is, the malicious content may be able to exploit vulnerabilities in the browser or plugins to run malicious code without the user's knowledge. A drive-by install (or installation) is a similar event. It refers to
installation Installation may refer to: * Installation (computer programs) * Installation, work of installation art * Installation, military base * Installation, into an office, especially a religious (Installation (Christianity) Installation is a Christian li ...
rather than download (though sometimes the two terms are used interchangeably).


Process

When creating a drive-by download, an attacker must first create their malicious content to perform the attack. With the rise in exploit packs that contain the vulnerabilities needed to carry out unauthorized drive-by download attacks, the skill level needed to perform this attack has been reduced. The next step is to host the malicious content that the attacker wishes to distribute. One option is for the attacker to host the malicious content on their own server. However, because of the difficulty in directing users to a new page, it may also be hosted on a compromised legitimate website, or a legitimate website unknowingly distributing the attackers content through a third party service (e.g. an advertisement). When the content is loaded by the client, the attacker will analyze the
fingerprint A fingerprint is an impression left by the friction ridges of a human finger. The recovery of partial fingerprints from a crime scene is an important method of forensic science. Moisture and grease on a finger result in fingerprints on surfac ...
of the client in order to tailor the code to exploit vulnerabilities specific to that client. Finally, the attacker exploits the necessary vulnerabilities to launch the drive-by download attack. Drive-by downloads usually use one of two strategies. The first strategy is exploiting
API An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how ...
calls for various plugins. For example, the DownloadAndInstall API of the Sina
ActiveX ActiveX is a deprecated software framework created by Microsoft that adapts its earlier Component Object Model (COM) and Object Linking and Embedding (OLE) technologies for content downloaded from a network, particularly from the World Wide We ...
component did not properly check its parameters and allowed the downloading and execution of arbitrary files from the internet. The second strategy involves writing shellcode to memory, and then exploiting vulnerabilities in the web browser or plugin to divert the control flow of the program to the shell code. After the shellcode has been executed, the attacker can perform further malicious activities. This often involves downloading and installing malware, but can be anything, including stealing information to send back to the attacker. The attacker may also take measures to prevent detection throughout the attack. One method is to rely on the obfuscation of the malicious code. This can be done through the use of iframes. Another method is to encrypt the malicious code to prevent detection. Generally the attacker encrypts the malicious code into a
ciphertext In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext ...
, then includes the decryption method after the ciphertext.


Detection and prevention

Detection of drive-by download attacks is an active area of research. Some methods of detection involve
anomaly detection In data analysis, anomaly detection (also referred to as outlier detection and sometimes as novelty detection) is generally understood to be the identification of rare items, events or observations which deviate significantly from the majority o ...
, which tracks for state changes on a user's computer system while the user visits a webpage. This involves monitoring the user's computer system for anomalous changes when a web page is rendered. Other methods of detection include detecting when malicious code (shellcode) is written to memory by an attacker's exploit. Another detection method is to make run-time environments that allow
JavaScript JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of websites use JavaScript on the client side for webpage behavior, of ...
code to run and track its behavior while it runs. Other detection methods include examining contents of HTML pages to identify features that can be used to identify malicious web pages, and using characteristics of web servers to determine if a page is malicious. Some antivirus tools use static
signatures A signature (; from la, signare, "to sign") is a handwritten (and often stylized) depiction of someone's name, nickname, or even a simple "X" or other mark that a person writes on documents as a proof of identity and intent. The writer of a ...
to match patterns of malicious scripts, although these are not very effective because of obfuscation techniques. Detection is also possible by using low-interaction or high-interaction honeyclients. Drive-by downloads can also be prevented from occurring by using script-blockers such as
NoScript NoScript (or NoScript Security Suite) is a free software extension for Mozilla Firefox, SeaMonkey, other Mozilla-based web browsers and Google Chrome, written and maintained by Giorgio Maone, an Italian software developer and member of the Mozi ...
, which can easily be added into browsers such as Firefox. Using such a script-blocker, the user can disable all the scripts on a given webpage, and then selectively re-enable individual scripts on a one-by-one basis in order to determine which ones are truly necessary for webpage functionality. However, some script-blocking tools can have unintended consequences, such as breaking parts of other websites, which can be a bit of a balancing act.


See also

* Malvertising *
Phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwa ...
*
BLADE A blade is the portion of a tool, weapon, or machine with an edge that is designed to puncture, chop, slice or scrape surfaces or materials. Blades are typically made from materials that are harder than those they are to be used on. Histor ...
* Mac Flashback * Windows Metafile vulnerability * Dropper (malware)


References

{{reflist Computer security exploits Computer viruses