Drive-By Downloads: How They Attack and How to Defend Yourself
|
|
Two French 155-mm self-propelled guns, used in 'shoot and scoot' artillery tactics, near Mostar, Bosnia-Herzegovina in 1996.
CREDIT: Sgt. Brian Gavin/U.S. Dept. of Defense, public domain |
Drive-by downloads are malicious pieces of software that are downloaded to a computer, tablet or smartphone when the user views a compromised Web page or HTML-based email message. In many cases, the malware will be automatically installed on the system.
The malware delivered by a drive-by download is usually classified as a Trojan horse, or Trojan for short, because it deceives the user about the nature of the website or email. In most cases, the operator of the compromised website will have no idea his site is distributing malware.
Once installed, malware delivered by a drive-by download can do a number of different things: log keystrokes, scan the system for files of a personal nature, herd the system into a botnet of similarly compromised machines, infect the Web browser with a banking Trojan that hijacks online-banking sessions, and install a "backdoor" that will let in even more malware.
Modern Web browsers such as Firefox and Google Chrome, and robust anti-virus software, will alert users when they visit a website known to be compromised or malicious. But many drive-by download links are well hidden, and won't cause infected sites to appear on blacklists of compromised sites.
A real-world example
The Mac Flashback outbreak, which infected an estimated 600,000 Macs in March 2012, showed how successful drive-by downloads can be.
In that case, malware writers first created a fake "toolkit" for WordPress-based blogs, which tens of thousands of WordPress users installed, creating a "backdoor" that let the malware writers infect their blog pages.
Browsers visiting those pages were redirected to malware sites, which tried to install a "downloader," the first part of the Flashback Trojan. If direct installation failed, another piece of malware asked the user for permission to install (fake) Apple software, which was in fact the downloader.
Once installed, the downloader would install more malware. One piece was a backdoor; another hijacked Web browsers to replace Web ads with ads controlled by the malware writers.
The Flashback outbreak was contained by Apple security updates in early April 2012, but in retrospect the owners of those 600,000 infected Macs were lucky. The backdoor did not install any more malware, which could have stolen the users' identities, emptied their bank accounts or used the infected machines to pump out spam and sleazy Web ads.
How to protect yourself
To avoid being infected by drive-by downloads, computer users need to do three things.
First, set up the user accounts so that all regular users have limited permissions and cannot modify applications or the operating system. Create a separate administrator account to be used only when installing, updating or deleting software.
Second, set the computer so that operating-system updates are automatically installed, and turn on whatever firewalls are available. (The wireless router firewall should also be activated.)
Third, install a robust anti-virus software product, set it to automatically update itself with the latest malware definitions, and make sure it performs regular full-system scans. Many free anti-virus products are available, but the paid ones do a better job of protecting Web browsers and email clients from drive-by downloads.
Smartphone and tablet users need to take different precautions. Owners of Apple iOS devices such as the iPhone, iPad and iPod Touch should avoid "jailbreaking" their devices and should install Apple system updates.
Android owners, however, should never immediately install a system update that suddenly appears on their screen; instead, they should check the Google Mobile Blog to check whether it's legitimate. Installation of mobile security software is also essential for Android users.
