Video Screencast Help
Website Security Solutions

The drive-by download explained - and what you can do about it

Created: 05 Jul 2010 • Updated: 18 Dec 2012
Tim Callan's picture
0 0 Votes
Login to vote

Greetings from down under. I'm here to give a presentation at the Online Retailer conference and expo, which is Australia's largest trade show focused on the online retail segment. My focus is web site malware distribution and the drive-by download. This sophisticated new attack blends several techniques to deliver malware using honest, legitimate online businesses as its distribution channel.

Here's how it works.

It all starts with malware. Malware is short for malicious software, and the moniker stands for any piece of software that you might find installed in your system without your knowledge and consent and that is there to promote an hidden agenda on behalf of the party that controls that malware, even if it hurts you in the process. The two most common forms of malware are the keylogger and the botnet. Keyloggers are pieces of spy software that record everything you do online and send all that information off to whoever owns the malware. So for instance, let's say you go to a certain bank's web site and then click on a certain field, type in a string, hit the tab key, type in another string, and hit enter. If you have a keylogger on your system, you just gave away your online banking login to a criminal.

Botnet is short for robot network, and botnets allow outside parties to control large numbers of desktops to use as they will. Botnets send spam, perform DDoS attacks, and add more machines to themselves.

The criminals make their money when they get their malware onto your system. They can't just ask you to install it because too many people are too savvy to fall for that ploy. It's much more effective if they can get their software installed without you ever knowing it happened. To accomplish that task they create attack scripts and run them on web servers. When a client system connects to a server with one of these attack scripts, the attack code goes down the list of all known vulnerabilities trying to find one that will allow it to put its malware on your computer. When new vulnerabilities surface, the online criminal simply adds them to his attack script. If the attack script succeeds, then it installs the malware payload onto the visiting system.

But the online criminal can't simply stand up a server with his attack script on it because it's unlikely that any meaningful number of potential victims would be visiting his server. Instead the criminal has to go where the traffic is. That's where the next step comes in.

The criminals then use HTML injection attacks like cross-site scripting to add a tiny line of code into an existing web site. The prefered method is to add a single, empty iFrame, one pixel wide by one pixel high. Invisible to the naked eye, this iFrame nonetheless forces the browser to connect with another server, where the attack code sits. By injecting these iFrames onto innocent, honest sites, the criminals can expose their attack scripts to visitors who otherwise would be unavailable to them.

We've seen a form of solution emerge, which is blacklisting. Various entities run crawlers that look at public-facing web sites and examine them for malware distribution mechanisms. When they find a domain with this problem, they add it to what they call a blacklist. The blacklist is a list of domains that are believed to have malware on them. Browsers, search engines, and desktop security providers, then use these blacklists to block users from access to these sites. For instance, popular browsers like Internet Explorer and Firefox include "roadblock" pages, which very strongly discourage users from continuing to these pages. The Firefox roadblock reads in part,

Reported Attack Site!
The web site at [domain here] has been reported as an attack site and has been blocked based on your security preferences.

The roadblock features two buttons labeled Get me out of here! and Why was this site blocked? If you want to actually navigate to the site, you have to click a small link in the lower right corner of the roadblock page that says Ignore this warning.

Blacklisting and removing or blocking results is arguably an effective countermeasure, but it's a practice that is completely oriented to the consumer with no thought for the consequences to the online businesses who innocently find themselves transformed into malware mules. These businesses are unceremoniously cut off from their customers or audience with no warning at all. It is oftentimes very difficult and time consuming for the business to determine who it is that blacklisted them and what they can do to fix the problem. All the while they're losing customers.

The solution for online businesses is to engage their own, proactive malware distribution scanning. VeriSign, for example, offers a daily scan for web site malware. The advantage of this scan is that it takes place much more often than most or all of the blacklisting scans, and it warns you if it finds something so that you can take action to remove the malware distribution. And unlike the blacklisting scans, VeriSign's scan tells you exactly where the distribution code is so that it's easy for the site operator to find it and fix it. VeriSign is offering this scan at no additional charge as part of the VeriSign seal. Today web site malware scanning is available in our standalone VeriSign Trust Seal, and soon it will be available in the VeriSign seals that come with our SSL products as well.

Sites are much better off finding and correcting these errors before they get blacklisted. And consumers are better off as well because sites can find and remove this scanning in a very timely fashion.