Drive-By Downloads - Silent Malware Installation

About 2 min read

A drive-by download is an attack technique in which a user becomes infected with malware merely by viewing a web page, without performing any click or download action. Because it exploits vulnerabilities in browsers or plugins to execute arbitrary code, even security-conscious users can fall victim. It is an attack that fundamentally overturns the belief that "you are safe as long as you do not visit suspicious sites," and it is not uncommon for legitimate sites to be tampered with and used as a stepping stone for the attack.

How the Attack Works

At the core of the attack is the exploit kit (EK). EKs such as Angler, RIG, and Magnitude automatically fingerprint the type, version, and installed plugins of the visiting browser, then select an available vulnerability and deliver the attack code. Because this entire process completes in a matter of milliseconds, the user almost never notices anything unusual.

Malvertising - Infection via Ad Networks

Malvertising is a technique that slips malicious advertisements into legitimate ad networks. Attackers purchase ad space legitimately and embed attack code inside the ad creative. In some cases, simply displaying the ad (without clicking it) redirects the user to an exploit kit.

In 2016, the ad spaces of major news sites such as MSN.com, BBC, and The New York Times were abused for malvertising, exposing millions of users to the Angler EK. Because infection occurs merely by browsing a legitimate site, the countermeasure of "only viewing trusted sites is safe" is powerless.

Relationship with the Watering Hole Attack

A watering hole attack is a targeted attack in which the attacker first researches the websites that employees of the target organization frequently visit, then embeds a drive-by download trap on those sites. Unlike malvertising, which targets the general public indiscriminately, its hallmark is pinpointing a specific organization or industry. Cases have been reported in which industry association sites and specialized media outlets are used as stepping stones.

Defense via the Browser Sandbox

Modern browsers use sandbox technology to isolate each tab's process from the OS. In Chrome's multi-process architecture, the design ensures that even if the renderer process is compromised, it cannot access OS-level resources. However, sandbox escape vulnerabilities are sometimes discovered, so relying on the sandbox alone is dangerous.

The Importance of Patch Management

The vast majority of drive-by downloads exploit known vulnerabilities. Thoroughly practicing patch management and always keeping browsers, the OS, and plugins up to date is the most cost-effective defense. Because attack code for many of the vulnerabilities targeted by exploit kits is incorporated within days of a patch's release, delays in updating translate directly into risk.

"I never clicked anything, so I can't possibly get infected" is exactly the kind of false assumption that expands the damage caused by drive-by downloads. It is important to repeatedly convey, through an organization's security training, that infection is established merely by displaying a page.

The risks of browser extensions are explained in detail in our article on browser extension security, and safe app adoption in our article on installing apps safely. Please also refer to ransomware protection.Web security books on Amazon as well.