Drive by Downloads

October 9th 2017

The following article is the fifth of a series of articles on Cyber Attacks and focuses on drive by downloads.

Used in many of the most common cyber-attacks, drive by downloads are hard to spot and involve little or none interaction by the victim.

A drive by download can either be a download authorised by the user, but without understanding the consequences, or as the name suggests, a download that happens without the user’s knowledge. Drive by downloads can deliver are variety of malware infections such as spyware, key loggers or ransomware.

How does a drive by download happen?

It can happen in different ways, by visiting a compromised website, viewing an HTML email message or simply clicking on a deceptive pop-up window. Drive by downloads take advantage of unpatched flaws in the operating systems, app or browser used to infect the user’s device.

If you’re visiting an infected website running a malicious code, the drive-by-download will automatically move a piece of code onto the device, without the users’ knowledge. This initial code is usually very small – so that the victim doesn’t notice – and will contact the scammers’ server which will then complete the “infection” by downloading the remaining part of the code to the device.

A compromised website will often present more than one malicious code in order to match whatever vulnerability the device may have and easily infect it with malware. Once downloaded, the malware may sit silently on the device collecting information without the user being aware.

Another form of drive-by-download can happen through malvertising. Malvertising involves using infected advertisements, often on legitimate websites, to spread malware. This can be a dangerous threat as it requires little or no user interaction and the infected advertisements often sit on trusted websites. As with other forms of drive-by-download delivery this also exploits unpatched software and operating systems.

What are the stages of a drive-by-download infection?

1. A drive-by-download from an infected HTML email downloads a malicious code into the device via the user’s software, app or browser.
2. This code will then redirect the user’s web browser to a malicious site, in order to download an exploit kit. An exploit kit is software specifically designed to identify software vulnerabilities, once the vulnerabilities are identified, the kit will infect the device with malware.
3. The malware can have a variety of purposes. Typically to steal confidential information or deliver ransomware. If the device is networked the infection may spread across the infrastructure.
4. The outcome may be loss of sensitive data, infected devices or network and loss of funds through ransomware.

How can you protect yourself?

• Drive-by-downloads take advantage of vulnerabilities in your software, system and apps, you can protect yourself by running the latest versions of them as this will mean you have the latest patches.
• This is true for your internet browser too, if you make sure you have the latest version, you will minimise the risk of your device getting infected.
• Install an antivirus that warns you when you’re navigating to a malicious or non-safe site.
• If you are an administrator a network of computers, lock down domain or administration rights.
• Use enterprise class firewall technology to inspect a data packets blocks potentially dangerous downloads.