The European Network and Information Security Agency (ENISA) has identified drive-by downloads as the number one threat in the emerging IT landscape. This post examines the nature of this threat.
A drive-by download occurs when malicious code is installed on a device without the user’s knowledge, when the user visits an infected webpage, or opens an infected HTML email, or via instant messaging. Typically, in a drive-by download, the malware is installed without the user knowing, or without the user knowing it’s true purpose. It is a trojan because it deceives the user as to it’s real intentions.
Once the malware is installed on the user’s device, it can undertake malicious activity such as key logging, identity theft, spam, or incorporate the device into a botnet with communication channels to and from the bot commander and conduct DDoS attacks. If the device is a mobile phone, the malware could conduct SMS fraud by silently sending SMS messages to premium numbers.
The infected website hosting a drive-by download typically is a legitimate website which has been compromised. The malicious code could reside in a pop-up advert or in an iframe on the webpage. The infected website typically utilises an exploit kit which contains several exploits in order to improve the chances of successful infection. They can be updated so as to include only the latest exploits. In this way the exploit kit maximises it’s chances of successfully finding a vulnerability which remains unpatched. Blackhole and Incognito are examples of exploit kits commonly used.
Pop-up downloads require the user to accept the download or installation. The user can be tricked into accepting these as the messaging on the pop-up does not need to specify that a download or install will take place. The pop-up download exploits the tendency of many users to simply click on warnings and pop-ups. Often the permission is designed to look like a warning from AV software or from the operating system. Many users have become conditioned to simply click accept when asked.
Current protection mechanisms against drive-by downloads are weak. One method is where the malicious webpage is added to a blacklist to prevent the user navigating to the site. However, webpages with drive-by downloads typically only remain open for 2.5 hours on average, making blacklisting practically ineffective.
Apart from blacklisting, malware signature scanning is the main protection mechanism relied upon. However, signature scanning is notoriously ineffective, and now only capable of identifying very few of the latest malware.
Drive-by downloads will continue to remain one of the most dangerous threats into the near future, with mobile devices now being targeted. Android devices have already been the subject of drive-by download attacks. One masquerades as an Android system update tricking Android users into installing. The introduction of mobile into this mix opens the attack surface considerably ensuring that drive-by downloads will continue to be a major IT security threat.