Drive-by download

from Wikipedia, the free encyclopedia

A drive-by download is the unconscious ( English drive-by 'driving past') and unintentional downloading ( download ) of software onto a computer. Among other things, it denotes the unwanted downloading of malware simply by calling up a specially prepared website. This exploits security gaps in the browser or the operating system because, according to the definition, access outside the browser environment without user interaction should not be possible with HTML content or browser scripting languages .

Manipulation of websites

In many cases, the attackers manipulate websites without the knowledge of the operator, for example by exploiting known vulnerabilities in widespread web applications . These manipulated websites, in connection with open security gaps in the browser or in the operating system, lead to the unnoticed execution of malware on the user's computer.

distribution

IT security companies report that a large number of websites are infected by malicious software. This method has been increasing steadily since 2007 and has meanwhile replaced e-mail as the main method of spreading malware . Several thousand affected websites are added every day.

technology

Today, websites often contain dynamic functions that are implemented using client-side technologies such as JavaScript (also as part of Ajax ), Java , Adobe Flash . These techniques allow constant communication between the browser and the server without the user having to take any action. This is used, among other things, to exchange advertising banners, load lists or transfer data to the server. These actions are usually carried out in a sandbox in the browser . However, if the browser or the operating system libraries used by the browser have a security vulnerability, programs can break out of this sandbox and access the user's computer directly. This makes it possible for malicious software to be executed on the user's computer without any involvement.

protection

To protect against unwanted drive-by downloads, it helps to always use the latest version of the browser, to keep plugins such as Adobe Flash and Adobe Reader up to date or to deactivate them, and to only access these plugins from the manufacturer's official website Respectively. In the commercial environment in particular, these plugins, as well as the content and scripts specific to them, are also switched off or filtered at the IT administration level. Even Java to disable, not to first install plug-ins or to keep up to date, reduces the likelihood of an infestation.

Many infections through drive-by downloads do not take place directly via the accessed website, but rather through external, mostly compromised websites, which are reloaded via scripts unnoticed by the user. Certain browser plug-ins prevent these scripts from being reloaded and only execute them after explicit approval by the user, such as NoScript for Firefox . or the uMatrix or FlashBlock plugins available for different browsers .

Another option is to use a sandbox . The Internet application is assigned a defined memory area for its execution and all outputs. This protects other memory areas from being overwritten and makes it much more difficult to exploit memory and buffer overflows.

Using the Internet software with restricted user rights also increases security. However, despite restricted rights, certain security flaws can allow an attacker to execute any malicious code, which ultimately allows the attacker to gain administrator privileges.

Individual evidence

  1. spiegel.de: "A drive-by means influencing a computer or even infecting the PC by simply visiting an infected website."
  2. Windows IT library: JavaScript security ( Memento of the original dated February 4, 2009 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. , June 2004  @1@ 2Template: Webachiv / IABot / www.windowsitlibrary.com
  3. golem.de: Large-scale hacker attack on European websites
  4. heise.de: Report: Malicious websites are picky
  5. heise.de: Zero-day exploit for Internet Explorer is spreading
  6. http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf
  7. Google searches web's dark side . In: BBC News , May 11, 2007. 
  8. heise.de: Sophos: 30,000 newly infected websites per day.
  9. spiegel.de: Virus hunter Kaspersky: "[...] the era of e-mail viruses is over. [...] Today nobody needs an email to get a virus into circulation. Criminals distribute their viruses via hijacked websites: One visit is enough to infect the computer. They hide their programs in multimedia files and circulate them through social networks. They leave links in guest books or on Wikipedia, and if you click on them, you catch something. "
  10. heise Security Doubtful antivirus products (October 25, 2008)
  11. Bundespolizei-Virus.de Drive-by-Downloads - protect yourself