Defending against drive-by downloads
by Corey Nachreiner - Director of Security Strategy at WatchGuard - Monday, 3 February 2014.
In case you havenít heard the term before, a drive-by download (DbD) is a class of cyber attack where you visit a booby-trapped web site and it automatically, and silently, downloads and executes malicious code on your computer.

By default, web sites canít just download and run code on your computer, so a successful DbD attack relies on some sort of programmatic flaw or vulnerability in the software you use to surf the web. For instance, browsers like Internet Explorer, Firefox, Safari, and Chrome make the most obvious targets.

However, nowadays most users install many other web-related products, which attackers can exploit in DbD attacks. For instance, products like Java, Flash, Shockwave, Reader, QuickTime, and many others insert plugins into your web browser, which allows them to render the dynamic content you encounter when visiting modern web sites. The problem is these plugins also give attackers access to this software as wellóproviding more attack surface opportunities.

In short, if an attacker can find any vulnerability in the diverse software-set you use to browse the web, and he can entice you to a web site containing a bit of malicious code, he can exploit these flaws to force your computer to infect itself with malware without you even knowing it. By luring you to a special place and distracting you, these network criminals can quietly compromise you behind your back.

How do hackers get me to malicious sites?

ďBut wait a second,Ē you might exclaim, ďIím not naive enough to visit suspicious web sites on the Internet. They canít infect me if they canít get me there, right?Ē

Of course, you are correct. Unless an attacker can get you to his booby-trapped web site, his DbD attack will not succeed. However, you might be surprised at how easy it is to lure victims to booby-trapped sites today.

Lets start with the old, tried-and-true techniques. In the past, you might have heard security professionals warn you against visiting the seedier side of the Internet. Just like in the red-light districts found in the real world, lots of questionably legal activities happen in some of sleazier parts of the Internet. Sites catering to pornography, software piracy, drugs sales, and more, often partner with cyber criminals (knowingly or unknowingly), and serve up malware to their visitors via DbD attacks. Anytime you see something shady offered for free on the Internet, chances are youíll pay in ways you donít quite know.

Another way to get victims to malicious sites is just to invite them to visit. Cyber criminals use every Internet messaging mechanism they can to spam out links to their malicious pages. They send emails, instant messages (IMs), or post to social networks, sharing links that go direct to booby-trapped websites. Of course, they dress up their message in some way to get you interested, citing the latest pop culture event, or pretending to be your friend sharing a fun link. They also often use link-shortening services to make their malicious links seem more benign. Since many users still donít realize web links can be dangerous, many fall for the bait and click the link for an unwelcome surprise.

However, the most nefarious way to draw victims to booby-trapped DbD web sites is the watering hole attack. All the methods described previously depend on getting someone to a site that they may not visit on their own accordÖ but what if you could hijack a site they frequented regularly? Just like the lions stalking prey in the Savannah, hackers know that if they can poison your favorite ďwatering holeĒ web site, youíll surely stumble upon their DbD code.

Spotlight

Patching: The least understood line of defense

Posted on 29 August 2014.  |  How many end users, indeed how many IT pros, truly get patching? Sure, many of us see Windows install updates when we shut down our PC and think all is well. Itís not.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Sep 2nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //