Drive-by Downloads – What Are They, And How to Fight Back

Drive-by downloads is a method used by hackers to distribute malicious software with the intent to compromise your computer.

A drive-by download occurs when a user visits a legitimate but compromised website. When the user visits a website, the hackers malicious code exploits weaknesses or other security vulnerabilities in the user’s web browser or web browser plug-ins allowing the download of malicious files to the user’s computer.  Their intention is to either steal valuable information or launch a denial-of-service attack against others on the internet using your computer as the vehicle to launch the attack.

Another form of drive-by download is referred to as ‘malvertisement‘, which is commonly Flash Player based and takes advantage of unpatched software. Masquerading as a legitimate advertiser, the hacker inserts their malicious software into the advertisement which is then shown on a legitimate website. When a user views the advertisement, the malware infects their computer.

Most drive-by downloads require scripts to be loaded from third party websites which are usually operated by the hacker. In this situation, a hacker simply injects inline frame codes into a legitimate website, so when the legitimate website is visited, loads malicious software hosted from another website which is operated by the hacker.

Search Engine Optimisation (SEO) is increasing in popularity with hackers as a technique used in conjunction with drive-by download exploits. SEO increases a website’s viability in a search engine. Generally, the higher or more often a website appears in a search result, the more traffic the website is likely to receive from the search engine’s users. A hacker can use SEO to promote their malicious websites in search engines to increase the chance of getting traffic to their website for the exploit to occur.

Hackers are also using malware kits which in simple terms is an all-in-one program they obtained off the Dark Web.  These malware kits allow them to target specific website browsers and software flaws, including Adobe Reader, Microsoft Internet Explorer and web browser plug-ins. The websites that host these malware kits assist the hacker in determining which exploits are most likely to work on a user’s computer.

How to Fight Back and Reduce drive-by downloads

To fight back and reduce the chance of a drive-by download, the following strategies should be implemented.

1. Implement application white-listing. Through research, we have seen that in many successful cyber security incidents, application white-listing would have been the only mitigating strategy able to stop a drive-by download successfully executing malicious software.
2. Keep all systems and applications up to date. Patching applications and operating system security vulnerabilities, especially Java and Flash is a key element in reducing your risk. Old versions of applications are more vulnerable to drive-by downloads.
3. Minimise the use of domain administrator privileges. Of the 189 Critical Vulnerabilities discovered so far in 2019, 154 (81%) could have been prevented if administrator rights had not been applied to the user account. Our investigations have shown that least privileged access continues to be best practice – I know with certainty that the removal of admin rights is one of the leading mitigating factors in keeping our client’s networks and systems safe in the face of accelerating vulnerability disclosures.  Therefore, to reduce your greatest risk, limit users with domain administrator or local administrator privileges to NEVERhave access to email and where possible, white-list websites that administrator accounts can access, or use a web content filtering solution that cannot be disabled by the administrator.

Organisations should also consider implementing any of the following strategies

1. Implement a robust web content filtering solution that inspects the content of all website traffic for potentially malicious downloads and blocks it. Preferably disallow ActiveX, Java, Flash, HTML inline frames and JavaScript, except for white-listed websites.
2. Implement whitelisting for all internet domains you require access to, including HTTPS domains, to only allow trusted sites to be accessed by users. This will not prevent drive-by downloads but will prevent secondary malicious websites from loading.
3. Install and maintain updated antivirus software capable of scanning internet traffic and detecting exploits.  It is highly recommended that any scanning program be externally monitored by a third party to ensure critical alerts or imminent breaches are handled immediately.