In a Drive-by-Download attack, the web application is tampered (i.e. injected with HTML code) that instructs a visitor’s browser to download malware located in an attacker’s controlled server. Most often, tampering is not visually apparent to visitors, thus innocent victims are unaware of the background download operation. If any warning appears it is usually dismissed since victims believe it to be part of the original application. The malware is usually Trojan horse software that takes control of the victim’s machine, making it part of a larger botnet.
One prevalent type of cyber crime is the operation and expansion of botnets. These are computers owned by innocent individuals which were infected by Trojan horse software that controls them on behalf of the net owner (usually a technical person working on behalf of not-so-technical delinquents). In order to maintain a viable and profitable botnet, attackers need to constantly infect more computers with their control agent. One less efficient method of doing that is by compromising each target machine individually. Another, more lucrative method is to have a well known widely accessed application to distribute the control agent to innocent victims. Attackers can compromise the target application and have the malicious code hosted on it. This tends to be quite difficult as upload exploits are not common and as many application servers host antimalware software that would detect the control agent’s code.
The alternative method chosen by attackers is that of drive-by-download. In this type of attack cyber criminals rely on a relatively small and much more common vulnerability of HTML injection (sometimes referred to as persistent XSS) vulnerability. The attacker abuses the injection vulnerability to add some HTML code to the target application. That HTML code, when rendered by a victim’s browser would download the actual malware into the victim’s machine. Common HTML constructs used for this purpose are script elements as well as iframe elements that have their src attributes pointing to the actual server holding the malware. Sometimes, an attacker would use a misleading popup window combined with a button on it to have the hapless victim explicitly invoke the download operation.
One of the most common methods employed so far by hackers to launch drive-by-download attacks is the use of SQL injection. Sites vulnerable to SQL injection and in particular those that employ MS SQL Server as their backend are susceptible not only to confidentiality breaches but also unauthorized modifications. Attackers would craft a SQL injection attack that actually injects HTML code into database rows and columns that are later used in the construction of the applications HTML pages. For example, in a forum application where user posts as well as user details are kept in a database an attacker can infect the forum with malicious HTML code. All posting records as well as the names of the users who made the posts are in jeopardy.
Many sites were hit during 2008 using this same method combined with some preliminary exploratory work using Google searches. In several waves of mass SQL Injection attacks millions of legitimate Web sites were compromised, among them some high profile ones (e.g. sites owned by CA and Microsoft). In these incidents, the attackers injected HTML code which downloads different binaries according to the victim’s browser’s version. These binaries then exploit different weaknesses of the specific browser in order to take over the victim’s PC.
Third-party components used in Websites may also act as a conduit of drive-by-download attacks. A Website may reference a widget without knowing that the specific widget contains, either intentionally or not, malicious script. Another example is that of advertisements which contain some malicious code. Once the victim’s browser fetches the advertisement, it unknowingly also fetches the corresponding attacker’s code, as was the case for Major League Baseball’s website in early 2009. Hiding such defective code within advertisements has become common enough practice to earn the nickname "malvertisements".
Drive-by-download attacks should be prevented by a combination of two methods.
- Applications should be protected against tampering, detecting infection attempts in the first place. This can be achieved by combining secure software development practices together with real-time measures such as web application firewalls.
- Protect application users against infection if for some reason the application has been infected. This is achieved using a real-time detection mechanism with frequently updatable signature database to detect victim infection vectors as they flow out of an infected server.