Jump to content

Drive-by download: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
No edit summary
No edit summary
 
(123 intermediate revisions by 92 users not shown)
Line 1: Line 1:
{{Short description|Computer security exploitation}}
{{mergeto|Web threat|date=January 2012}}
{{Use dmy dates|date=July 2020}}
'''Drive-by download''' means three things, each concerning the unintended [[download]] of [[computer]] [[software]] from the [[Internet]]:


In [[computer security]], a '''drive-by download''' is the unintended [[download]] of [[software]], typically [[Malware|malicious software]]. The term "drive-by download" usually refers to a download which was authorized by a user without understanding what is being downloaded, such as in the case of a [[Trojan horse (computing)|Trojan horse]]. In other cases, the term may simply refer to a download which occurs without a user's knowledge. Common types of files distributed in drive-by download attacks include [[Computer virus|computer viruses]], [[spyware]], or [[crimeware]].
# Downloads which a person authorized but without understanding the consequences (e.g. downloads which install an unknown or counterfeit [[executable program]], [[ActiveX]] component, or [[Java (software platform)|Java]] applet).
# Any [[download]] that happens without a person's knowledge.
# Download of [[spyware]], a [[computer virus]] or any kind of [[malware]] that happens without a person's knowledge.<ref>{{Cite web|url=http://www.h-online.com/security/news/item/Exploit-on-Amnesty-pages-tricks-AV-software-1230724.html|accessdate=8 January 2011|publisher=[[Heinz Heise]]|work=The H online|date=20 April 2011|title=Exploit on Amnesty pages tricks AV software}}</ref>


Drive-by downloads may happen when visiting a [[website]], viewing an e-mail message or by clicking on a deceptive pop-up window:<ref>{{cite web|url=http://news.cnet.com/2100-1023-877568.html|title=Web surfers brace for pop-up downloads|first=Stefanie|last=Olsen|date=8 April 2002|publisher=[[CNET]] News|accessdate=28 October 2010}}</ref> by clicking on the window in the mistaken belief that, for instance, an error report from the computer' operating system itself is being acknowledged, or that an innocuous advertisement pop-up is being dismissed. In such cases, the "supplier" may claim that the person "consented" to the download although actually unaware of having started an unwanted or malicious software download. Websites that exploit the [[Windows Metafile vulnerability]] (eliminated by a [[Windows update]] of 5 January 2006) may provide examples of drive-by downloads of this sort.
Drive-by downloads may happen when visiting a [[website]],<ref>{{Cite journal |last1=Sood |first1=Aditya K. |last2=Zeadally |first2=Sherali |date=2016-09-01 |title=Drive-By Download Attacks: A Comparative Study |url=https://ieeexplore.ieee.org/document/7579103 |journal=IT Professional |volume=18 |issue=5 |pages=18–25 |doi=10.1109/MITP.2016.85 |s2cid=27808214 |issn=1520-9202}}</ref> opening an [[Email attachment|e-mail attachment]] or clicking a link, or clicking on a deceptive pop-up window:<ref>{{cite web|url=http://news.cnet.com/2100-1023-877568.html|title=Web surfers brace for pop-up downloads|first=Stefanie|last=Olsen|date=8 April 2002|publisher=[[CNET]] News|access-date=28 October 2010}}</ref> by clicking on the window in the mistaken belief that, for example, an error report from the computer's operating system itself is being acknowledged or a seemingly innocuous advertisement pop-up is being dismissed. In such cases, the "supplier" may claim that the user "consented" to the download, although the user was in fact unaware of having started an unwanted or malicious software download. Similarly if a person is visiting a site with malicious content, the person may become victim to a drive-by download attack. That is, the malicious content may be able to exploit [[Vulnerability (computing)|vulnerabilities]] in the [[Web browser|browser]] or [[Plug-in (computing)|plugins]] to run malicious code without the user's knowledge.<ref name=":0">{{Cite book|last1=Le|first1=Van Lam|last2=Welch|first2=Ian|last3=Gao|first3=Xiaoying|last4=Komisarczuk|first4=Peter|date=2013-01-01|title=Anatomy of Drive-by Download Attack|url=http://dl.acm.org/citation.cfm?id=2525483.2525489|journal=Proceedings of the Eleventh Australasian Information Security Conference - Volume 138|series=AISC '13|location=Darlinghurst, Australia, Australia|publisher=Australian Computer Society, Inc.|pages=49–58|isbn=9781921770234}}</ref>

[[Hackers (computer security)|Hackers]] use different techniques to obfuscate the malicious code so that [[antivirus software]]s aren't able to recognize the code and the code is executed in hidden [[iframe]]s so that the user can't recognize it visible - and even for experienced user it is hard to read.<ref>{{Cite journal|url=http://www.h-online.com/security/features/CSI-Internet-Alarm-at-the-pizza-service-1019940.html|accessdate=8 January 2011|publisher=[[Heinz Heise]]|work=The H online|date=18 June 2010|title=CSI:Internet - Episode 1: Alarm at the pizza service|first=Thorsten|last=Holz|journal=[[c't]]|issue=13/2010}}</ref>


A '''drive-by install''' (or '''installation''') is a similar event. It refers to [[installation (computer programs)|installation]] rather than download (though sometimes the two terms are used interchangeably).
A '''drive-by install''' (or '''installation''') is a similar event. It refers to [[installation (computer programs)|installation]] rather than download (though sometimes the two terms are used interchangeably).

== Process ==
When creating a drive-by download, an attacker must first create their malicious content to perform the attack. With the rise in exploit packs that contain the vulnerabilities needed to carry out unauthorized drive-by download attacks, the skill level needed to perform this attack has been reduced.<ref name=":0" />

The next step is to host the malicious content that the attacker wishes to distribute. One option is for the attacker to host the malicious content on their own [[Server (computing)|server]]. However, because of the difficulty in directing users to a new page, it may also be hosted on a compromised legitimate website, or a legitimate website unknowingly distributing the attackers content through a [[Third-party software component|third party service]] (e.g. an advertisement). When the content is loaded by the client, the attacker will analyze the [[Device fingerprint|fingerprint]] of the client in order to tailor the code to exploit vulnerabilities specific to that client.<ref name=":1">{{Cite book|volume = 309|last1=Egele|first1=Manuel|last2=Kirda|first2=Engin|last3=Kruegel|first3=Christopher| title=INetSec 2009 – Open Research Problems in Network Security |date=2009-01-01|publisher=Springer Berlin Heidelberg|isbn=978-3-642-05436-5|pages=52–62|chapter=Mitigating Drive-By Download Attacks: Challenges and Open Problems|doi=10.1007/978-3-642-05437-2_5|series = IFIP Advances in Information and Communication Technology}}</ref>

Finally, the attacker exploits the necessary vulnerabilities to launch the drive-by download attack. Drive-by downloads usually use one of two strategies. The first strategy is exploiting [[Application programming interface|API]] calls for various [[Plug-in (computing)|plugins]]. For example, the DownloadAndInstall API of the Sina [[ActiveX]] component did not properly check its parameters and allowed the downloading and execution of arbitrary files from the internet. The second strategy involves writing [[shellcode]] to memory, and then exploiting vulnerabilities in the web browser or plugin to divert the control flow of the program to the shell code.<ref name=":1" /> After the shellcode has been executed, the attacker can perform further malicious activities. This often involves downloading and installing [[malware]], but can be anything, including stealing information to send back to the attacker.<ref name=":0" />

The attacker may also take measures to prevent detection throughout the attack. One method is to rely on the [[Obfuscation (software)|obfuscation]] of the malicious code. This can be done through the use of [[iframes]].<ref name=":0" /> Another method is to encrypt the malicious code to prevent detection. Generally the attacker encrypts the malicious code into a [[ciphertext]], then includes the decryption method after the ciphertext.<ref name=":1" />

== Detection and prevention ==
Detection of drive-by download attacks is an active area of research. Some methods of detection involve [[anomaly detection]], which tracks for state changes on a user's computer system while the user visits a webpage. This involves monitoring the user's computer system for anomalous changes when a web page is rendered. Other methods of detection include detecting when malicious code (shellcode) is written to memory by an attacker's exploit. Another detection method is to make run-time environments that allow [[JavaScript]] code to run and track its behavior while it runs. Other detection methods include examining contents of HTML pages to identify features that can be used to identify malicious web pages, and using characteristics of web servers to determine if a page is malicious.<ref name=":0" /> Some antivirus tools use static [[Antivirus software#Signature-based detection|signatures]] to match patterns of malicious scripts, although these are not very effective because of obfuscation techniques. Detection is also possible by using low-interaction or high-interaction [[Client honeypot#HoneyClient|honeyclients]].<ref name=":1" />

Drive-by downloads can also be prevented from occurring by using script-blockers such as [[NoScript]], which can easily be added into browsers such as Firefox. Using such a script-blocker, the user can disable all the scripts on a given webpage, and then selectively re-enable individual scripts on a one-by-one basis in order to determine which ones are truly necessary for webpage functionality. However, some script-blocking tools can have unintended consequences, such as breaking parts of other websites, which can be a bit of a balancing act.<ref name="“makeuseof”">{{cite web |last1=Phillips |first1=Gavin |date=14 January 2021 |title=What Is a Drive-by Download Malware Attack? |url=https://www.makeuseof.com/what-is-a-drive-by-download/ |access-date=4 January 2022}}</ref>

A different form of prevention, known as "Cujo," is integrated into a web proxy, where it inspects web pages and blocks the delivery of malicious JavaScript code.<ref>{{Cite book |last1=Rieck |first1=Konrad |last2=Krueger |first2=Tammo |last3=Dewald |first3=Andreas |title=Proceedings of the 26th Annual Computer Security Applications Conference |chapter=Cujo: Efficient detection and prevention of drive-by-download attacks |date=2010-12-06 |pages=31–39 |chapter-url=http://dx.doi.org/10.1145/1920261.1920267 |location=New York, NY, USA |publisher=ACM |doi=10.1145/1920261.1920267|isbn=9781450301336 |s2cid=8512207 }}</ref>

== See also ==
* [[Malvertising]]
* [[Phishing]]
* [[BLADE (software)|BLADE]]
* [[Trojan BackDoor.Flashback|Mac Flashback]]
* [[Windows Metafile vulnerability]]
* [[Dropper (malware)]]


==References==
==References==
{{reflist}}
{{reflist}}


{{Information security}}
{{Use dmy dates|date=June 2011}}


[[Category:Computer security exploits]]
[[Category:Computer security exploits]]
[[Category:Computer viruses]]

{{malware-stub}}

[[de:Drive-by-Download]]
[[ja:ドライブバイダウンロード]]
[[sv:Drive-by download]]
[[zh:路过式下载]]

Latest revision as of 12:07, 11 August 2024

In computer security, a drive-by download is the unintended download of software, typically malicious software. The term "drive-by download" usually refers to a download which was authorized by a user without understanding what is being downloaded, such as in the case of a Trojan horse. In other cases, the term may simply refer to a download which occurs without a user's knowledge. Common types of files distributed in drive-by download attacks include computer viruses, spyware, or crimeware.

Drive-by downloads may happen when visiting a website,[1] opening an e-mail attachment or clicking a link, or clicking on a deceptive pop-up window:[2] by clicking on the window in the mistaken belief that, for example, an error report from the computer's operating system itself is being acknowledged or a seemingly innocuous advertisement pop-up is being dismissed. In such cases, the "supplier" may claim that the user "consented" to the download, although the user was in fact unaware of having started an unwanted or malicious software download. Similarly if a person is visiting a site with malicious content, the person may become victim to a drive-by download attack. That is, the malicious content may be able to exploit vulnerabilities in the browser or plugins to run malicious code without the user's knowledge.[3]

A drive-by install (or installation) is a similar event. It refers to installation rather than download (though sometimes the two terms are used interchangeably).

Process

[edit]

When creating a drive-by download, an attacker must first create their malicious content to perform the attack. With the rise in exploit packs that contain the vulnerabilities needed to carry out unauthorized drive-by download attacks, the skill level needed to perform this attack has been reduced.[3]

The next step is to host the malicious content that the attacker wishes to distribute. One option is for the attacker to host the malicious content on their own server. However, because of the difficulty in directing users to a new page, it may also be hosted on a compromised legitimate website, or a legitimate website unknowingly distributing the attackers content through a third party service (e.g. an advertisement). When the content is loaded by the client, the attacker will analyze the fingerprint of the client in order to tailor the code to exploit vulnerabilities specific to that client.[4]

Finally, the attacker exploits the necessary vulnerabilities to launch the drive-by download attack. Drive-by downloads usually use one of two strategies. The first strategy is exploiting API calls for various plugins. For example, the DownloadAndInstall API of the Sina ActiveX component did not properly check its parameters and allowed the downloading and execution of arbitrary files from the internet. The second strategy involves writing shellcode to memory, and then exploiting vulnerabilities in the web browser or plugin to divert the control flow of the program to the shell code.[4] After the shellcode has been executed, the attacker can perform further malicious activities. This often involves downloading and installing malware, but can be anything, including stealing information to send back to the attacker.[3]

The attacker may also take measures to prevent detection throughout the attack. One method is to rely on the obfuscation of the malicious code. This can be done through the use of iframes.[3] Another method is to encrypt the malicious code to prevent detection. Generally the attacker encrypts the malicious code into a ciphertext, then includes the decryption method after the ciphertext.[4]

Detection and prevention

[edit]

Detection of drive-by download attacks is an active area of research. Some methods of detection involve anomaly detection, which tracks for state changes on a user's computer system while the user visits a webpage. This involves monitoring the user's computer system for anomalous changes when a web page is rendered. Other methods of detection include detecting when malicious code (shellcode) is written to memory by an attacker's exploit. Another detection method is to make run-time environments that allow JavaScript code to run and track its behavior while it runs. Other detection methods include examining contents of HTML pages to identify features that can be used to identify malicious web pages, and using characteristics of web servers to determine if a page is malicious.[3] Some antivirus tools use static signatures to match patterns of malicious scripts, although these are not very effective because of obfuscation techniques. Detection is also possible by using low-interaction or high-interaction honeyclients.[4]

Drive-by downloads can also be prevented from occurring by using script-blockers such as NoScript, which can easily be added into browsers such as Firefox. Using such a script-blocker, the user can disable all the scripts on a given webpage, and then selectively re-enable individual scripts on a one-by-one basis in order to determine which ones are truly necessary for webpage functionality. However, some script-blocking tools can have unintended consequences, such as breaking parts of other websites, which can be a bit of a balancing act.[5]

A different form of prevention, known as "Cujo," is integrated into a web proxy, where it inspects web pages and blocks the delivery of malicious JavaScript code.[6]

See also

[edit]

References

[edit]
  1. ^ Sood, Aditya K.; Zeadally, Sherali (1 September 2016). "Drive-By Download Attacks: A Comparative Study". IT Professional. 18 (5): 18–25. doi:10.1109/MITP.2016.85. ISSN 1520-9202. S2CID 27808214.
  2. ^ Olsen, Stefanie (8 April 2002). "Web surfers brace for pop-up downloads". CNET News. Retrieved 28 October 2010.
  3. ^ a b c d e Le, Van Lam; Welch, Ian; Gao, Xiaoying; Komisarczuk, Peter (1 January 2013). Anatomy of Drive-by Download Attack. AISC '13. Darlinghurst, Australia, Australia: Australian Computer Society, Inc. pp. 49–58. ISBN 9781921770234. {{cite book}}: |journal= ignored (help)
  4. ^ a b c d Egele, Manuel; Kirda, Engin; Kruegel, Christopher (1 January 2009). "Mitigating Drive-By Download Attacks: Challenges and Open Problems". INetSec 2009 – Open Research Problems in Network Security. IFIP Advances in Information and Communication Technology. Vol. 309. Springer Berlin Heidelberg. pp. 52–62. doi:10.1007/978-3-642-05437-2_5. ISBN 978-3-642-05436-5.
  5. ^ Phillips, Gavin (14 January 2021). "What Is a Drive-by Download Malware Attack?". Retrieved 4 January 2022.
  6. ^ Rieck, Konrad; Krueger, Tammo; Dewald, Andreas (6 December 2010). "Cujo: Efficient detection and prevention of drive-by-download attacks". Proceedings of the 26th Annual Computer Security Applications Conference. New York, NY, USA: ACM. pp. 31–39. doi:10.1145/1920261.1920267. ISBN 9781450301336. S2CID 8512207.