Examination of a “Drive-by-Download” Many Security Professionals Get this Wrong – Overview and Examp

Aug 12
21:12

2015

Chris Snow

Chris Snow

  • Share this article on Facebook
  • Share this article on Twitter
  • Share this article on Linkedin

Basic Definition: Drive-by downloads may happen when visiting a, viewing an e-mail message or by clicking on a deceptive pop-up window: by clicking on the window in the mistaken belief that, for instance, an error report from the computer' operating system itself is being acknowledged, or that an innocuous advertisement pop-up (pretending to be innocuous) is being dismissed. In such cases, the "supplier" may claim that the user "consented" to the download, although actually the user was unaware of having started an unwanted or malicious software download.

mediaimage

Basic Definition:

Drive-by downloads may happen when visiting a,Examination of a “Drive-by-Download” Many Security Professionals Get this Wrong – Overview and Examp Articles viewing an e-mail message or by clicking on a deceptive pop-up window: by clicking on the window in the mistaken belief that, for instance, an error report from the computer' operating system itself is being acknowledged, or that an innocuous advertisement pop-up (pretending to be innocuous) is being dismissed. In such cases, the "supplier" may claim that the user "consented" to the download, although actually the user was unaware of having started an unwanted or malicious software download.

Very Common Misconception:

When I am interviewing candidates for security positions I always ask them the simple question of explaining what a drive-by-download is and 90% of the time they give me the wrong answer. The most common answer I receive is that it is when you are browsing a website a hacker has uploaded an executable or inserted an iframe with a download link to the file and when they visit the website a file is downloaded in the background without them authorizing it or even seeing it. They tell me it happens behind the scenes and executes.

This is dead wrong, if it were that easy to get malware or adware onto a victims machine everyone and their mother would be hosting malware at an astronomical rate. Now this definition had a short time period where that was actually possible in some very early browsers or if a user changes their security settings to automatically download and run any file without question and answer any request it received, but the attacker would still have to rely on the victim willingly opening that file if those settings were not enabled. It's not 1995 anymore, browsers are smarter, people are still gullible and incompetent though.

The individuals answering such a question with that type of an answer is a dead give away that they are not very knowledgeable in the field of cyber security. For a user to land on a website and have an executable download and run in the background without their knowledge would require them to be exploited. An exploit kit that has loaded exploits for 0day versions of Java or Flash for example may have injected an iframe into your favorite site and when you visit that site you will trigger the exploit kit process which must then exploit a vulnerable piece of software installed on your machine, once it successfully does that it can then request that an executable be downloaded (which will in fact happen behind the scenes) and be installed. You will at that time be hosting malware unless your AV has really good anomaly or behavioral based detection mechanisms as the signature portion will most likely fail as malware writers modify their malicious binaries daily and run them against AV to make sure they aren't detected. Once the malware becomes known and samples are obtained your AV provider will issue out a signature to prevent future occurrence.

99% of drive-by-downloads result in the download of what is known as "adware" or "PUPs" (Possibly unwanted programs) not "malware" as most of their infrastructure is located in the United States and they seek to profit from your download without risking a lawsuit. Therefore, groups delivering drive-by-download software try to take measures to legalize their extremely shady practices. Most commonly you will see a site that will tell you your version of Java or Flash is out of date and you need to upgrade right now, they will inform you to click an install or download link which is packed with adware. They will typically have a very small disclaimer as well which if you read will explain vaguely what you are really downloading.

Let's review a common example I see routinely of what a true drive-by-download looks like:

I visit a bittorrent site and do a search for a file, a pop-under or new tab opens in my browser simultaneously for a site hosting a drive-by-download:

 

[caption id="attachment_867" align="alignnone" width="1524"] drive-by-download landing page[/caption]

 

If red flags are not going off in your head, something is wrong, check the URL, does it even make sense? Google the domain name, you'll get your answer right off the bat of what you have landed on or what has loaded. Legitimate software companies do not market software in this manner. You should be thinking why would google be advertising with pop-under windows with a domain secureopensoftware.com - do the math, think logically before proceeding.

 

Next step of the drive-by-download:

 

From the first page that I landed on I clicked the X box to close the window, and clicked "no" I don't want to update my software, but yet, here it comes anyway, if you spot the license agreement you will see that even that state that they are in know way affiliated with Google Chrome, yet they are using the copyrighted image on the download page.

 

Example after closing the download window, you'll see another fraudulent statement "Manufacturer: Google" which most certainly is not.

 

Clicking ok on the download or the install button will result in this:

 

 

 

 

As you can see, they are ready to ship me an application to install, I edited the image slightly as there are some folders and directory mappings I would like to remain private. So, the site hosting the download really wants to make sure I run the program as soon as possible, look what happens after I download the file:

 

 

Like I wouldn't know how to run a file I just downloaded, this type of drive-by-download is extremely successful when targeting young individuals who don't know any better and older users who don't understand how the internet works.

 

The other type of drive-by-download you will rarely see these days is when you land on a page and it immediately prompts you for the download, they haven't even taken the time to craft a fake misleading website, they have simply created a link such as http://blah/blah.exe so when you hit that page a prompt will come up for download - this is less seen because legally speaking they have not afforded the user with any type of risk or acceptance to such a request and law enforcement would have a much easier time going after those hosting such files. In the above case, they have weak legal grounds to stand on because they can claim that you read the license agreement and willingly downloaded the file and installed it. DON'T BE A VICTIM - THESE GROUPS AND THESE TACTICS NEED TO STOP, YOU CAN HELP THAT FIGHT BY NOT BECOMING A STATISTIC.