Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Drive-by Downloads—By Hook or by Crook

Created: 22 May 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:59:30 GMT
Liam O Murchu's picture
+1 1 Vote
Login to vote

It is so great to now have the opportunity to choose how to receive your adware. In the past, drive-by downloads were targeted exclusively towards Internet Explorer (IE) users and indeed, many people changed to Firefox or Safari browsers specifically because of this fact. But now you can choose which browser you want to use to be hit with your least favourite adware!

When people contemplated moving from IE to Firefox, it didn’t matter if Firefox was measurably safer than IE or not, the simple fact that the bad guys weren’t targeting it made it far more secure in practice. Those heydays have long since disappeared. In the Symantec labs we still see a greater number of drive-by downloads solely targeting IE; however, we often see sites that will detect which browser you are using and then serve you your specific poison. Moreover, there have been several vulnerabilities discovered that can affect applications that are common across all Internet browsers (such as those that target flash players or Windows Media Player). These types of vulnerabilities can allow exploits to succeed no matter which browser you are using.

True drive-by download pages require no user interaction other than just visiting the page, and the goal is usually to install adware, spyware, diallers, rogue anti-spyware, or any combination of these and more. The WMF vulnerability is the attack vector of choice for drive-by downloads at the moment; however, it can only be considered a true drive-by download vector in IE, since other browsers (such as Firefox and Opera) prompt the users for their input on how to handle .wmf files.

The advance in drive-by downloads has not only been marked by the addition of browser detection code, but also by the amount of different exploits being used. It is quite common to find the same drive-by download page using many different exploits; so if they don’t get you with the first exploit, then hopefully one of the others being used will. Thor Larholm (and others after him) used to maintain Web pages which documented all of the unpatched vulnerabilities in IE. As these vulnerabilities were dealt with they were moved from the “unpatched” list into the “recently patched” list. It appears as though the malicious software writers have taken a leaf out of this book and adopted a similar system, keeping a list of the most critical (and successful) flaws for several different browsers, and bundling them together into "super" drive-by download pages.

Although browser patches are released more quickly than when Thor Larholm was maintaining his vulnerability tracking page, it doesn't seem to affect the bad guys. The bad guys are looking for the path of least resistance, and they won't care if the vulnerability is old, or if a patch is already available. They will always question (and test) whether or not an attack on a vulnerabillity will be successful. They are covering all the bases, hoping that you will not be 100% patched. This practice is demonstrated by the fact that they are still trying to exploit the help file vulnerability that was first released in 2000.

I have provided an example below, with excerpts from the logs taken during a recent visit to a known drive-by Web site. You can see in the logs that the Web site uses separate exploits for three vulnerabilities: the WMF vulnerability, .chm help file vulnerability 1, and .chm help file vulnerability 2. If all else fails on the part of these exploits, we are then redirected to yet another site where the process begins all over again. Oh, and I should point out that all of this happens in the space of less than three minutes, after which time seven different risks were found to be installed on the system. (Two different help file vulnerabilities were used in this attack, most probably MS05-026 and MS04-023)

http://xxxx.com/index.html
http://xxxx.com/mm.wmf <- our trusty WMF vulnerability
http://xxxx.com/icyfox.html
http://xxxx.com/joke.html <- windows help file vulnerability
http://xxxx.com/young.gif <- actually an executable used by the joke.html page
http://xxxx.com/young.css <- again another exe for use in the joke.html page
http://xxxx.com/mm.html
http://xxxx.com/skmhta.asp <- second help vulnerability
http://xxxx.com/skexe.asp <- exe for use in above help vulnerability
http://xxxx.com/xp.htm <- another help
http://xxxx.com/all.mp3 <- actually an exe
http://xxxx.com/dongfang.gif <- actually javascript for use in html vuln.

Now that xxxx.com is finished with us, we get passed to yyyy.com:

http://yyyy.com/index.html <- here we have our browser and OS version checker
http://yyyy.com/3.exe
http://yyyy.com/hy.exe
http://yyyy.com/wxp.htm <- detected win xp so serves up the help vulnerability (again)

In total there were seven different vulnerabilities used in this drive-by attack, and 12 different attempts to exploit the browser. There were three attempts to use the WMF vulnerability and five attempts to use the .chm help file vulnerability. If your browser and OS were not fully patched and you visited one of these sites, then you would more than likely be caught in their web. Just as with every other aspect of online fraud, drive-by downloads are becoming more and more professional. They are determined to get onto your computer, and by hook or by crook, they aim to succeed!