Defending against drive-by downloads
by Corey Nachreiner - Director of Security Strategy at WatchGuard - Monday, 3 February 2014.
In case you haven’t heard the term before, a drive-by download (DbD) is a class of cyber attack where you visit a booby-trapped web site and it automatically, and silently, downloads and executes malicious code on your computer.

By default, web sites can’t just download and run code on your computer, so a successful DbD attack relies on some sort of programmatic flaw or vulnerability in the software you use to surf the web. For instance, browsers like Internet Explorer, Firefox, Safari, and Chrome make the most obvious targets.

However, nowadays most users install many other web-related products, which attackers can exploit in DbD attacks. For instance, products like Java, Flash, Shockwave, Reader, QuickTime, and many others insert plugins into your web browser, which allows them to render the dynamic content you encounter when visiting modern web sites. The problem is these plugins also give attackers access to this software as well—providing more attack surface opportunities.

In short, if an attacker can find any vulnerability in the diverse software-set you use to browse the web, and he can entice you to a web site containing a bit of malicious code, he can exploit these flaws to force your computer to infect itself with malware without you even knowing it. By luring you to a special place and distracting you, these network criminals can quietly compromise you behind your back.

How do hackers get me to malicious sites?

“But wait a second,” you might exclaim, “I’m not naive enough to visit suspicious web sites on the Internet. They can’t infect me if they can’t get me there, right?”

Of course, you are correct. Unless an attacker can get you to his booby-trapped web site, his DbD attack will not succeed. However, you might be surprised at how easy it is to lure victims to booby-trapped sites today.

Lets start with the old, tried-and-true techniques. In the past, you might have heard security professionals warn you against visiting the seedier side of the Internet. Just like in the red-light districts found in the real world, lots of questionably legal activities happen in some of sleazier parts of the Internet. Sites catering to pornography, software piracy, drugs sales, and more, often partner with cyber criminals (knowingly or unknowingly), and serve up malware to their visitors via DbD attacks. Anytime you see something shady offered for free on the Internet, chances are you’ll pay in ways you don’t quite know.

Another way to get victims to malicious sites is just to invite them to visit. Cyber criminals use every Internet messaging mechanism they can to spam out links to their malicious pages. They send emails, instant messages (IMs), or post to social networks, sharing links that go direct to booby-trapped websites. Of course, they dress up their message in some way to get you interested, citing the latest pop culture event, or pretending to be your friend sharing a fun link. They also often use link-shortening services to make their malicious links seem more benign. Since many users still don’t realize web links can be dangerous, many fall for the bait and click the link for an unwelcome surprise.

However, the most nefarious way to draw victims to booby-trapped DbD web sites is the watering hole attack. All the methods described previously depend on getting someone to a site that they may not visit on their own accord… but what if you could hijack a site they frequented regularly? Just like the lions stalking prey in the Savannah, hackers know that if they can poison your favorite “watering hole” web site, you’ll surely stumble upon their DbD code.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th