Video Screencast Help
Security Response

Advances in Drive-by Downloads

Created: 26 May 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:59:26 GMT
Liam O Murchu's picture
+1 1 Vote
Login to vote

The commercialization of every aspect of online fraud has been a growing trend over the last few years. [1] This commercialization has now hit the drive-by download market. A new subscription service that automates drive-by downloads is now available and being touted in the underground.

This service provides a point-and-click solution for anyone who wants to set up drive-by downloads on their own Web site. Some features offered by the service include: browser and browser version detection, OS detection, Windows service pack detection, JVM version detection, and antivirus software detection.

These detection processes allow specific exploits to be leveraged in each case. The team behind the service also claims to have the ability to develop exploits based on vendor advisories, which presents the worrying scenario of zero-day exploits being available to their customers. This could lead to a similar situation that occured when WMF exploits were circulating (in December 2005) before any patches were available. Not only is the drive-by download code able to detect which exploit to use, but it can also use several different exploits in case the first one was unsuccessful. An exerpt from the listing of vulnerabilities that this team currently claim to have exploit code for is provided here:

MS03-011 JVM vulnerability
MS04-013 Outlook vulnerability
MS05-002 ANI file vulnerability
MS05-054 Js window vulnerability
createTextRange () vulnerability
WMF vulnerability
FireFox "InstallVersion.compareTo" vulnerability

Although all the text on the site is in Russian I have included a rough translation below which explains the services available:
"Dear friends! We are glad to offer to you a multicomponental Web-Attacker IE0604, realizing to vulnerability in popular Internet-browsers Internet Explorer and Mozilla Firefox. By means of data you can establish any executed programs on local disks of visitors of your sites. In a basis of work Web-Attacker IE0604 lay seven found out earlier vulnerabilities in the Internet-browsers. Into the new version will enter two recently found out vulnerabilities for Internet Explorer 6.0 SP2 and Mozilla Firefox. "

The service comes with a simple Web interface which allows the owners of malicious Web sites to log on and administer how the drive-by downloads will work on their site. The Web interface allows the user to specify which executable will be downloaded to a visitor's computer, and it will provide statistics that detail how successful their individual drive-by download campaigns have been so far.

The Web site address for this service is currently being circulated in underground forums and IRC channels and has already found several customers. So, be warned: drive-by download technology has just become a whole lot more organized, and far easier to use!