Incomputer security, adrive-by download is the unintendeddownload ofsoftware, typicallymalicious software. The term "drive-by download" usually refers to a download which was authorized by a user without understanding what is being downloaded, such as in the case of aTrojan horse. In other cases, the term may simply refer to a download which occurs without a user's knowledge. Common types of files distributed in drive-by download attacks includecomputer viruses,spyware, orcrimeware.
Drive-by downloads may happen when visiting awebsite,[1] opening ane-mail attachment or clicking a link, or clicking on a deceptive pop-up window:[2] by clicking on the window in the mistaken belief that, for example, an error report from the computer's operating system itself is being acknowledged or a seemingly innocuous advertisement pop-up is being dismissed. In such cases, the "supplier" may claim that the user "consented" to the download, although the user was in fact unaware of having started an unwanted or malicious software download. Similarly if a person is visiting a site with malicious content, the person may become victim to a drive-by download attack. That is, the malicious content may be able to exploitvulnerabilities in thebrowser orplugins to run malicious code without the user's knowledge.[3]
Adrive-by install (orinstallation) is a similar event. It refers toinstallation rather than download (though sometimes the two terms are used interchangeably).
When creating a drive-by download, an attacker must first create their malicious content to perform the attack. With the rise in exploit packs that contain the vulnerabilities needed to carry out unauthorized drive-by download attacks, the skill level needed to perform this attack has been reduced.[3]
The next step is to host the malicious content that the attacker wishes to distribute. One option is for the attacker to host the malicious content on their ownserver. However, because of the difficulty in directing users to a new page, it may also be hosted on a compromised legitimate website, or a legitimate website unknowingly distributing the attackers content through athird party service (e.g. an advertisement). When the content is loaded by the client, the attacker will analyze thefingerprint of the client in order to tailor the code to exploit vulnerabilities specific to that client.[4]
Finally, the attacker exploits the necessary vulnerabilities to launch the drive-by download attack. Drive-by downloads usually use one of two strategies. The first strategy is exploitingAPI calls for variousplugins. For example, the DownloadAndInstall API of the SinaActiveX component did not properly check its parameters and allowed the downloading and execution of arbitrary files from the internet. The second strategy involves writingshellcode to memory, and then exploiting vulnerabilities in the web browser or plugin to divert the control flow of the program to the shell code.[4] After the shellcode has been executed, the attacker can perform further malicious activities. This often involves downloading and installingmalware, but can be anything, including stealing information to send back to the attacker.[3]
The attacker may also take measures to prevent detection throughout the attack. One method is to rely on theobfuscation of the malicious code. This can be done through the use ofiframes.[3] Another method is to encrypt the malicious code to prevent detection. Generally the attacker encrypts the malicious code into aciphertext, then includes the decryption method after the ciphertext.[4]
Detection of drive-by download attacks is an active area of research. Some methods of detection involveanomaly detection, which tracks for state changes on a user's computer system while the user visits a webpage. This involves monitoring the user's computer system for anomalous changes when a web page is rendered. Other methods of detection include detecting when malicious code (shellcode) is written to memory by an attacker's exploit. Another detection method is to make run-time environments that allowJavaScript code to run and track its behavior while it runs. Other detection methods include examining contents of HTML pages to identify features that can be used to identify malicious web pages, and using characteristics of web servers to determine if a page is malicious.[3] Some antivirus tools use staticsignatures to match patterns of malicious scripts, although these are not very effective because of obfuscation techniques. Detection is also possible by using low-interaction or high-interactionhoneyclients.[4]
Drive-by downloads can also be prevented from occurring by using script-blockers such asNoScript, which can easily be added into browsers such as Firefox. Using such a script-blocker, the user can disable all the scripts on a given webpage, and then selectively re-enable individual scripts on a one-by-one basis in order to determine which ones are truly necessary for webpage functionality. However, some script-blocking tools can have unintended consequences, such as breaking parts of other websites, which can be a bit of a balancing act.[5]
A different form of prevention, known as "Cujo," is integrated into a web proxy, where it inspects web pages and blocks the delivery of malicious JavaScript code.[6]
{{cite book}}:|journal= ignored (help)