Most people don’t think twice about the websites they visit, quickly clicking through and not paying much attention to whether a link will redirect them or if a secure protocol is being used. Often, this isn’t a problem but if you happen to visit a site that has been compromised, your system can be quickly infected by a drive by download.
Here, we’ll look at what a drive by download is, the type of damage it can cause, and cover some strategies that your security operations center can use to minimize your risk.
In this article:
What are Drive by Downloads?
Drive by download refers to the automated download of software to a user’s device, without the user’s knowledge or consent. This can occur while the user is browsing a legitimate website or even through a malicious advertisement displayed on an otherwise safe site. Most types of drive by downloads take advantage of vulnerabilities in web browsers, operating systems, Java, or file editors and viewers like Microsoft Office and Adobe Flash.
How Drive by Downloads Work
In a typical attack scenario, the threat actor’s objective is to compromise the victim’s machine and enlist it into a botnet. Through this initial security breach, the attacker can leverage control of the user’s device for lateral movement. This happens as follows:
- Vulnerability exploits—the user views the page, triggering the malicious element. The element exploits a vulnerability in a part of the software stack on the user’s computer. This could be the browser, browser plugins, the operating system, an archiving tool like WinZIP, a file reader like Adobe PDF, legacy multimedia delivery platforms like Adobe Flash or Microsoft Silverlight, or vulnerabilities in the version of Java installed on the user’s device.
- Download—the element downloads malicious files silently to the user’s device. In this example, the payload is a Trojan horse. Attackers may use other payloads, as discussed in the following section.
- Execution—the Trojan horse executes, opening a shell the attacker can use to gain control over the device.
- Remote control—the attacker gains remote control. This enables them to extract passwords or other valuable data from the user’s device.
- Lateral movement—the attacker can now use credentials obtained from the user’s device to connect to another, more valuable system, such as a company’s website or network.
Figure 1: Typical sequence of events in a drive by download attack
Types of Drive by Download Payloads
Attackers can use drive by downloads to deploy a variety of malicious applications to a victim’s device. These can include:
- Trojan horses, backdoors or rootkits—provide remote control of the user’s device
- Ransomware—allows the attacker to encrypt or destroy data on the device
- Botnet toolkits—attackers may directly install a botnet application that performs actions like sending spam email or participating in DDoS
- Droppers—malware built to load more malware without being detected
- Man in the Middle (MitM) tools—enables attackers to eavesdrop on the user’s communications, insert data into forms, steal sessions and credentials
- Keyloggers—perform keystroke capturing that allows the attacker to gain access to passwords or other sensitive data
- Data transfer—tools that allow the attacker to transfer sensitive data to its control center, typically using methods like DNS tunneling
Drive by Download Mitigation
The first line of defense against drive by downloads is a robust software update and patching procedure. You can use automated patching systems to ensure operating systems, browsers and office applications are updated immediately when patches are available for security vulnerabilities.
However, with the advent of bring your own device (BYOD) and the proliferation of mobile devices, you will not be able to control all the devices accessing your network. The second line of defense is limiting the privileges you give to users connecting over their own devices or guests connecting with unknown devices. For example, you can require that administrative access to a corporate system is always conducted with company equipment.
A third measure is endpoint protection in combination with SIEM solutions, which will help you identify and block incidents as they occur. At the very least, enable personal firewalls and antivirus on all devices. Web-filtering software can also help minimize the access of risky sites. Beyond that, modern endpoint protection platforms (EPP) provide advanced security measures such as:
- Application whitelisting—specifying that only specific applications can run on the device, this can be extremely effective against drive by malware payloads.
- Next-generation antivirus (NGAV)—can protect against unknown malware and fileless attacks.
- Threat intelligence—can help identify the source and nature of an attack and suggest appropriate defensive measures.
- User and entity behavior analytics (UEBA)—establishes a behavioral baseline of the device or user’s behavior, and identifies anomalous behavior that may indicate a drive by download has occurred, or a malicious process has been executed.
- Endpoint detection and response (EDR)—can help security teams get real-time data about a successful drive by download and allow them to quarantine devices, contain, and stop the threat.
Drive by downloads can be a challenge to avoid and difficult to detect when they occur. This is especially true when users connect to your system from personal devices. It’s just not feasible to completely block users from accessing the web and users often don’t know how to tell if a site is safe. Despite this, knowing how these downloads work and using the strategies covered here can help ensure that you remain protected. Additionally, training your end users on identifying risky sites, browser extensions and links can go a long way to preventing downloads from the start.