Drive-by downloads: Can you get malware just from visiting a website?

Microsoft calling_ Mind the tech support scammer

There are dozens of ways malware can get onto your system. In most cases, infections involve a user-initiated action, like opening a malicious attachment or executing a .exe file acquired from some sketchy corner of the Internet.

But can you get malware from a website visit? Unfortunately, the answer is yes.

It’s possible to get infected with malware even without opening a file or downloading anything malicious – all it takes is for you to visit a compromised website.

In this article, we’ll show you exactly how drive-by downloads work and how you can protect yourself from this threat.

What is a drive-by download?

A drive-by download refers to the download of malicious software to your computer without your consent. Unlike other types of malware that usually rely on tricking you into clicking on a malicious link or downloading a malicious file, drive-by downloads can occur without any user interaction. In other words, you don’t have to select anything for an attack to occur. Drive-by downloads can take place on attacker-owned websites, on legitimate websites that have been compromised, and through malicious advertisements displayed on otherwise safe sites.

Most types of drive-by downloads work by exploiting known vulnerabilities in your device’s operating system, web browser and browser plugins. These security flaws usually only exist due to poor cybersecurity practices – many businesses and home users delay applying vital security patches, which gives attackers a window of opportunity to exploit known vulnerabilities.

What is drive-by exploit kit?

Drive-by download attacks usually involve the use of an exploit kit. An exploit kit is a pre-packaged collection of exploits that attempt to automatically infect targets using a variety of different drive-by attack methods.

Exploits kits are designed to be simple to use and often come loaded with features such as a management console, add-on functions and technical support, which make it easy for cybercriminals of all levels of technical literacy to launch a campaign. The creators of exploit kits use these tools to generate substantial profits by renting their exploit kits to other cybercriminals – a model sometimes described as exploit-kits-as-a-service. The most highly sought after exploit kits can cost thousands of dollars per month.

Most modern exploit kits work by scanning a website visitor’s system – operating system, IP address, browser, plugins and more – to find systems vulnerable to compromise. The exploit kit then automatically selects an attack method according to the vulnerability that has been identified and triggers the sequence of events that leads to the delivery of the malicious payload.

How do drive-by downloads work?

The following describes the typical anatomy of a drive-by download attack:

1. Exploit kit deployment: Threat actors deploy an exploit kit on their own server, on a compromised legitimate website or through third-party advertising services.

2. Contact: In order to spread the malicious content, adversaries must drive traffic to the exploit kit landing page. Traffic generation methods vary depending on where the exploit is deployed:

3. Fingerprinting: When a visitor lands on the exploit kit landing page, the exploit kit analyzes the fingerprint of the user’s device to search potential vulnerabilities in the user’s software stack and determine if they’re a suitable target.

4. Exploitation: If the user is deemed to be an appropriate target, the exploit kit automatically exploits the detected vulnerabilities to initiate the drive-by download. Targets with no suitable vulnerabilities may be ignored or redirected to a landing page that uses social engineering tactics to dupe the user into downloading malware.

5. Execution: The malicious file is executed. Often, this is a multi-stage attack, whereby the initial drive-by download is used to deploy other types of malware. Obfuscation methods are typically used to prevent detection of the drive-by malware throughout the attack.

What type of malware can be installed in a drive-by download attack?

Adversaries use drive-by downloads as a way of establishing control of a device. Because no user interaction is required, drive-by downloads can be an effective way for threat actors to quietly gain access to a device and use the initial infection as a springboard to perform further malicious activity.

Exactly what type of malware is delivered in a drive-by download depends on the objective of the attack. In some instances, the drive-by download is the objective. In other cases, the drive-by download is simply the first phase in a multi-stage attack – an opportunity for attackers to gain a foothold in the target environment before making their next move.

With this in mind, drive-by downloads can ultimately be used to deploy almost any type of malware, including ransomware, keyloggers, backdoors and more.

How Emsisoft protects you from drive-by downloads

If you’re an Emsisoft user, you can rest assured that you’re fully secure from drive-by downloads, thanks to a number of powerful protection technologies that work in synergy to keep you safe from online threats.

At the outer perimeter, Web Protection and Emsisoft Browser Security can help prevent you from connecting to malicious websites using a huge database of continually updated malicious hosts. In the event that you do happen to log onto an exploit kit landing page, our Behavior Blocker will automatically intercept exploit attempts and stop downloaded files from attempting to open – including malicious files that have never been seen before. Our File Guard component will also intercept any drive-by download that has an existing signature.

Taking a multi-layered approach to security provides multiple opportunities to neutralize drive-by downloads before they can make any changes to your device.

More tips on how to prevent drive-by downloads

The following best practices can be useful for reducing the risk of drive-by download attacks:

1. Install security updates promptly: As discussed earlier, most drive-by download attacks work by exploiting known security flaws. Mitigate this risk by always installing security updates for your web browser, extensions, operating system and other applications as soon as the patches are available.

2. Avoid sketchy websites: While a drive-by download could theoretically happen anywhere on the web, you’re more likely to experience an attack on websites that deal in piracy and mature content. Reduce the risk of infection by sticking to trustworthy and well-established sites.

3. Remove unused apps: Shrinking your attack surface reduces the risk of infection. Take a few minutes to review your applications and browser extensions and uninstall anything that you rarely use or which looks unfamiliar. Applications that no longer receive updates are particularly risky and should be removed.

4. Beware of phishing: Adversaries will sometimes use phishing to drive traffic to a malicious landing page that contains an exploit kit. Familiarize yourself with phishing language, be wary of unsolicited emails that try to convey a sense of urgency and always double-check URLs before clicking on anything. See this blog post for more information on preventing phishing attacks.

5. Use an ad blocker: Drive-by downloads are frequently distributed via ad networks. An effective way to block this attack vector is to install a reputable ad blocker.

Summary

It’s true that you can get malware just from visiting a website. Through the use of exploit kits hosted on malicious or compromised legitimate websites, threat actors can launch drive-by download attacks that deliver malware without you even laying a hand on your mouse.

Keeping your applications up to date, using good antivirus software, installing an ad blocker and being mindful of phishing attempts can greatly reduce the risk of falling victim to a drive-by download attack.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

 

Jareth

Jareth

Writer. A picture is worth a thousand words but unfortunately I can't draw. The world of IT security has always fascinated me and I love playing a small role in helping the good guys combat malware.

What to read next