In computer security, a drive-by download is the unintended download of software, typically malicious software. The term usually refers to a download which was authorized by a user without understanding what is being downloaded, such as in the case of a Trojan horse. In other cases, the term may simply refer to a download which occurs without a user's knowledge. Common types of files distributed in drive-by download attacks include computer viruses, spyware, or crimeware.

Drive-by downloads may happen when visiting a website, opening an e-mail attachment, clicking a link in an email, or clicking on a deceptive pop-up window. Users often click on a pop-up window in the mistaken belief that, for example, an error message from the computer's operating system is being acknowledged or a seemingly innocuous advertisement pop-up is being dismissed. In such cases, the "supplier" may claim that the user "consented" to the download, although the user was in fact unaware of having started an unwanted or malicious software download. Similarly if a person is visiting a site with malicious content, the person may become victim to a drive-by download attack. That is, the malicious content may be able to exploit vulnerabilities in the browser or plugins to run malicious code without the user's knowledge.

A drive-by install (or installation) is a similar event. It refers to installation rather than download (though sometimes the two terms are used interchangeably).

Process

When creating a drive-by download, an attacker must first create their malicious content to perform the attack. With the rise in exploit packs that contain the vulnerabilities needed to carry out unauthorized drive-by download attacks, the skill level needed to perform this attack has been reduced.

Finally, the attacker exploits the necessary vulnerabilities to launch the drive-by download attack. Drive-by downloads usually use one of two strategies. The first strategy is exploiting API calls for various plugins. For example, the DownloadAndInstall API of the Sina ActiveX component did not properly check its parameters and allowed the downloading and execution of arbitrary files from the internet. The second strategy involves writing shellcode to memory, and then exploiting vulnerabilities in the web browser or plugin to divert the control flow of the program to the shell code.

A different form of prevention, known as "Cujo," is integrated into a web proxy, where it inspects web pages and blocks the delivery of malicious JavaScript code.

See also

  • Mousetrapping
  • Malvertising
  • Clickjacking
  • Phishing
  • BLADE
  • Mac Flashback
  • Windows Metafile vulnerability
  • Dropper (malware)

References