Drive-By Download Attacks are when an attacker can get a user to download software by simply visiting a website. The user only has to "drive-by" for the download to take place.
There are many channels for distributing drive-by downloads. Online advertising networks were once the most popular. An attacker would sneak a malicious ad into a ad network and it would be widely distributed by reputable, high-traffic sites. Starting around 2012, additional quality controls were put in place to make it more difficult. Sites which serve lower-quality ads with less quality control still exist. Often these begin with a pop-up window telling the user that a virus has been detected on their computer and offering to perform a free virus scan. Another popular way to bring in victims is to send out phishing emails with links to attacker-controlled websites.
The most dangerous type of distribution is from third-party websites which have been compromised by attackers and perform drive-by downloads on all of their visitors.
A user visits a compromised website. The website either sends a background request or performs a request redirect to an attacker-controller website. This can be done quietly with alerting the user by using JavaScript and an HTML iframe. The request loads an "exploit kit" which probes the user for a large number of known vulnerabilities in their operating system, browser, or browser plugins. Flash, Java, PDF readers, and video player are frequently vulnerable targets.
Once the exploit has been identified, it can use it to force the user's browser to download a malware "payload". The payload might display ads in the user's browser, make their computer part of a botnet, log keystrokes or steal credentials, hijack banking sessions, install ransomware, or install a backdoor to allow the attacker future access.
In March 2012, attackers created a plugin for use with WordPress blogs which secretly opened up any blog that installed it to malware infection. Any user visited an infected blog was redirected to an attacker-controller website. The malicious site first attempted a drive-by download using exploits for the Mac operating system. If the drive-by download failed, it displayed a screen asking the user to install fake Apple software (which also downloaded the same malware). The payload was malware which infected the user's browser and replaced any web ads on the page with ads which would make money for the attacker. (Relatively harmless considering what it could have done instead.) The attack was successful in infecting an estimated 600,000 Macs.
In February 2013, attackers compromised the NBC.com website and used iframes to serve drive-by downloads of the Citadel Trojan malware, which steals personal and financial information. While investigating and recovering from the security breach, they discovered that their web servers were also providing drive-by downloads of the ZeroAccess malware, which modifies search results to generate pay-per-click ad revenue.
The best defense against drive-by downloads is to turn on automatic software updates for the operating system, web browser, and all plugins. Attackers often use recently announced exploits and users who are slow to upgrade are vulnerable. In addition, it is prudent to disable or remove any browser plug-in which you do not need, in particular Java is a rarely used plug-in with frequent vulnerabilities. User can also install the NoScript browser plugin which can block JavaScript, Java, Flash, and other plugins from running. Some browsers will even warn users before they visit websites which are known to be compromised.
Users should not be logged into their computers as admins. This is an example of the Principle of Least Privilege—a user does not need admin permissions for most tasks. By not being an admin, it limits the read, write, and execute permissions which are available to malware and limits any damage to the user account only.
Because drive-by downloads put viruses and malware on a computer, an anti-virus program can help to detect and neutralize the threat if the download succeeds.
