Wednesday, November 07, 2007

what is a drive-by download?

a drive-by download is a form of exploitation where simply visiting a particular malicious website using a vulnerable system can cause a piece of malware to be downloaded and possibly even executed on that system...

in other words it's a way for a system to be compromised just by visiting a website...

the vulnerability(s) exploited in order to cause a drive-by download can be in the web browser itself or possibly in some other component involved in rendering the content of the malicious page (such as a multimedia plug-in or a scripting engine)...

drive-by downloads are particularly pernicious for two reasons... the first is that it can be hard to avoid being vulnerable and still maintain the functionality people have come to expect from the web... all software has vulnerabilities at least some of the time and there may be quite a few pieces of software on a given system that deal with web content (such as real player, quicktime, flash, adobe acrobat reader, etc) that may have vulnerabilities... add to that the fact that vulnerabilities aren't always fixed right away and that many users don't apply patches or updates as soon as they're available and you wind up with a fairly large pool of potential victims...

the second reason they are so pernicious is that it can be hard to avoid being exposed to an exploit leading to a drive-by download... the exploit can be delivered through legitimate, high profile, mainstream sites by way of the advertising (or other 3rd party) content on the site... if the ad network that supplies the advertising content is infiltrated by cyber-criminals (which has been known to happen) then they can sneak a malicious ad into the network's ad rotation and get it inserted into otherwise trusted and trustworthy sites... for this reason the old advice of only visiting trusted sites can't really protect you from this type of threat...

back to index

2 comments:

Pete said...

Myspace.com just changed their ad policy and my wifes computer was infected with cNSMin adware/spyware shortly after. The infection happened while on myspace which I suspect was a drive-by as a result of the increased ad rotations. If, in fact, this is the cause, I guess you cant really trust any site nowadays :(

kurt wismer said...

it's true that there are no safe sites - any site can be compromised and made to host malicious content... that makes IE's trusted zone methodology basically useless...

i don't know what protections you're using, but if you're using firefox with the noscript browser extension you can configure noscript to operate on a page by page basis rather than a site by site basis... that way you don't necessarily have to trust everything on myspace (or blogspot, or any number of other similar sites) but rather just certain pages... it doesn't get rid of the problem entirely but the finer grained control makes it less likely that bad content will be able to sneak onto the whitelist...