Kaspersky Lab publishes the article Drive-by Downloads: The Web Under Siege

Kaspersky Lab, a leading developer of secure content editing systems, presents the article Drive-by Downloads: The Web Under Siege by Kaspersky Lab security evangelist Ryan Naraine. The article is devoted to the covert downloading of malware from websites without the user’s knowledge, which is known as drive-by downloads. The author explores the lures used to perpetrate attacks, the technology behind the attacks, and the use of drive-by download attacks in personal data theft and computer takeovers.

Drive by malware delivery is of increased appeal to cybercriminals simply because it is, in general, a stealthier form of infection that results in more successful attacks. According to ScanSafe, 74 percent of all malware detected in the third quarter of 2008 came from visits to compromised Web sites.

To understand the dramatic shift to using the Web browser as the attack tool, it is useful to revisit the history of major Internet-based computer attacks. During the “Internet worm era”, when attacks like Code Red, Blaster, Slammer and Sasser wreaked havoc on corporate networks, hackers used remote exploits against Windows operating system vulnerabilities. Microsoft reacted to the worm attacks in a positive way. They added a firewall, which is turned on by default in Windows XP SP2, and implemented several anti-worm mitigation mechanisms in the operating system. With automatic updates enabled on Windows, end users got some assistance by regularly applying operating system patches. This evolution drove the emergence of a stealthy new technique – the drive-by download – that uses the browser as the mechanism to connect computer users to servers rigged with malicious exploits.

In the drive-by attack, the malicious program is automatically downloaded to your computer without your consent or even your knowledge. The attack actually occurs in two steps. The user surfs to a Web site that has been rigged with code that in turn redirects the connection to a malicious third-party server hosting exploits. If an exploit is successful, a Trojan is silently installed that gives the attacker full access to the compromised computer. The attacker can later take advantage of the compromised computer in order to steal confidential information or to launch DoS attacks.

According to data from Kaspersky Lab and others in the security industry, we are in the midst of a large-scale drive-by download epidemic. Over a recent ten-month period, the Google Anti-Malware Team crawled billions of pages on the Web in search of malicious activity and found more than three million URLs initiating drive-by malware downloads. Hackers increasingly compromise legitimate Web sites and either secretly embed an exploit script or plant redirect code that silently launches attacks via the browser.

According to Ryan Naraine, malware exploit kits serve as the engine for drive-by downloads. These kits are professionally written software components that can be hosted on a server with a database backend. The kits, which are sold on underground hacker sites, are fitted with exploits for vulnerabilities in a range of widely deployed desktop applications, including Apple’s QuickTime media player, Adobe Flash Player, Adobe Reader, RealNetworks’ RealPlayer, and WinZip.

Browser-specific exploits have also been used, targeting Microsoft’s Internet Explorer, Mozilla’s Firefox, Apple Safari, and Opera. Several targeted exploit kits are fitted only with attack code for Adobe PDF vulnerabilities or known flaws in ActiveX controls.

Identity thieves and other malware authors purchase exploit kits and deploy them on a malicious server. Code to redirect traffic to that malicious server is then embedded on Web sites, and lures to those sites are spammed via e-mail or bulletin boards.

An exploit kit server can use HTTP request headers from a browser visit to determine the visitor’s browser type and version as well as the underlying operating system. Once the target operating system is fingerprinted, the exploit kit can determine which exploits to fire.

Most modern Web browsers – including Internet Explorer, Firefox, and Opera – have added anti-malware blockers that provide early-warning systems when users attempt to surf to a rigged Web site. These blockers provide good value but, because they are blacklist-based, they do not provide 100 percent protection to Web surfers. According to our expert, the most practical approach to defending against drive-by downloads is to pay close attention to the patch management component of defense. It is also crucial to install antivirus software and to keep its databases updated. Importantly, the antivirus product should include a browser traffic scanner to help pinpoint potential problems from drive-by downloads.

The full version of the article is available at Viruslist.com.

This material can be reproduced provided the author, company name and original source are cited. Reproduction of this material in re-written form requires the express consent of Kaspersky Lab’s Public Relations department.