<font 22px/inherit;;#c0392b;;inherit>Drive-by Download Attack</font>
Author : Yoan TULET
Seminar for the Computer forensics course 2020
University of zagreb - Faculty of electrical engineering and computing
<font 18px/inherit;;inherit;;inherit>Abstract</font>
The drive-by download attack is a popular method used by cybercriminals to spread malwares on victims computers. Attacker contaminates victim's computers with unwanted download
In this seminar, we will learn how to identify this type of attack and understand how it works. We will see the different phases of the attack to understand how it is possible to detect it. The purpose of this seminar is to provide the reader with tips to prevent against drive-by download attacks.
<font 18px/inherit;;inherit;;inherit>Summary</font>
<font 18px/inherit;;inherit;;inherit>What is it ?</font>
The purpose of this attack is to install malware on a victim computer in order to retreive data from it. The attacker will weaponize a site with an exploit (JavaScript, plugin, browser). The goal is to hide a malware that the victim will download in the background when accessing a web page. The compromised page will look normal to the victim but the malware will be silently installed on his computer.
The malware will open a connection with the attacker and permit remote access to the victim computer. With this access, the attacker will gather data that he need (paswords, data, …). Attacker will store data on an external website to gather it later on his own computer.
With the access of the victim computer, attacker can also install another malicious malware or programs like spywares for example.
<font 18px/inherit;;inherit;;inherit>How it works ?</font>
1 - The attacker exploits a website. He hides malicious code on a page. In most case, the attacker uses some browser or plugin exploit. He can also use the JavaScript on the page.
2 - The victim access the website. He uses the website and nothing seems abnormal to him.
3 - The exploit downloads a malicous java program on the victim computer. The victim does not realize but the hidden program runs in the backound of his computer.
4 - The program creates a link between the victim computer and the attacker.
5 - Attacker has remote control of the victim computer. He uses this control to get what he want (passwords, privileges to access a company website, …).
6 - The attacker transfer all the data gathered on an external website that he can access.
7 - The attacker can recover all the data by download it on the website on which he has stored it.
As we see below, in most case, attacker exploit a website to perform his attack but “drive-by download” attack can begin with other scenarios :
A dangerous thing about “drive-by download” attack is that you normally can’t now that your computer has been attacked. Indeed, you can’t notice that the website that you are browsing has been infected because it look totally normal and you are not aware that a program was installed on your computer.
<font 18px/inherit;;inherit;;inherit>How can we detect this kind of attack ?</font>
To investigate this kind of attack, we will use the RSA NetWitness software. We can see on this image how it is difficult to detect it without this software.
Indeed, we seperate the previous scenario of attack in fourth level of visibilities :
In general conditions, with a traditional Security Information and Event Management (SIEM) software, we can’t have the visibility on the infiltration and access levels of computer victim.
We have to keep in mind that detection for this type of attack is still in an active area of research. Most of methods to detect this kind of attack are anomalies detection (during accessing the web page) and malicious code detection (when the malware communicate with attacker).
RSA NETWITNESS
Rsa Netwitness software will permit to increase visibility in certains levels.
We will be capable of detecting :
We can configure the software to alert the user when some abnormals behaviors are detected.
We can see on this image an exemple of alert caused by a suspicious download.
When searching on the metadata, we can see that a “java.exe” file was downloaded. The software prevent us from a risk caused by an anormal “exe” file. We didn’t intentionaly download this file and the software detect it as a malware.
By continuing the investigation, it will be possible to trace the history of actions performed on the computer. This will allow you to view the processes launched by the malware to identify what the attacker has done on the computer. If the malware is spyware, you can read the files created to take knowledge of the stolen data.
<font 18px/inherit;;inherit;;inherit>How to prevent Drive-by download attacks ?</font>
Unfortunatly, we do not have ways to block “drive-by download” attacks but we have some ways to prevent it. Some antivirus have tools to inspect signatures of eventuals malicious script but attackers often find a way to hide theirs scripts from suspiction.
The most effective technique is to simply add an script-blocker extension to your browser. For exemple “NoScript” extension can be added to firefox browser so that you can choose to disable all the scripts on the pages that you browse except scripts that are essential for the page functionalities.
We can take into account that scripts-blockers extensions will permit to save bandwidth because we now also block advertising script that display pop-up on your screen.
In addition, you have some others options that can increase a little bit more your safety on your computer :
<font 16px/inherit;;inherit;;inherit>Update your softwares when an update comes up</font>
This image show the number of security failures used on the three most used internet browsers for initiate a drive-by download attack. Risks remains but your can see that certain security failures have been corrected over the versions. Updating your sofware is an easy and quickly way to increase your safety online.
<font 16px/inherit;;inherit;;inherit>Clean your plugins</font>
As we saw above, the better way to prevent drive-by download attacks is to use a extension blocker. It is also a good idea to sort the plugins that are installed on your browser. Indeed, we often have a lot of extension that gives permissions to developpers on ours internet browsers. It is a good idead to sort your plugins by asking you some basics question : “What permissions do I give to this plugin ? “, “Do I trust the developers of this plugin?”, …
You have to keep in mind that the fewer plugins you have, the better your security is.
<font 16px/inherit;;inherit;;inherit>Use an ad blocker</font>
As we saw, the downloads are sometimes initialized by the interraction with a pop-up window. In addition to making browsing the internet more pleasant, ad blockers can prevent drive-by donwload attacks.
<font 16px/inherit;;inherit;;inherit>Use a non-administrator account during daily use</font>
Using an administrator account when surfing on internet results in allowing malware to be downloaded without asking your permission. The same goes for malware on your computer. The latter can install malicious programs without asking your permission. You can fix this issue by using a non-privileged account for daily use and switch on privileged account only for installing your softwares. This behavior will greatly reduce your risk of undergoing a drive-by download attack.
<font 16px/inherit;;inherit;;inherit>Use a firewall</font>
Of course a firewall will never be foolproof but it can be effective if the thread you incounter on internet is well known.
<font 16px/inherit;;inherit;;inherit>Protect your mobile devices</font>
A common mistake is to think that smarphones are safe from attack. Moreover, attackers can access more personals data on smarphone than your computer (GPS localisation, call history, banking apps, messages, …). When a security patch appair on the screen of your phone, you should not delay installing it. But first you need to check if this update is really legitimate. It is therefore essential to check on the official website the authenticity of this update.
<font 16px/inherit;;inherit;;inherit>Use a drive-by download mitigation tool</font>
Tools like BLADE (Block All Drive-by download Exploits) are designed to block drive-by download attacks. Theses sofware searches for malicious code. When the software detect this kind of code when trying to access a web page, it raise an alarm that will stop the request.
<font 18px/inherit;;inherit;;inherit>Conclusion</font>
In this seminar, we learned how a drive-by download attack takes place. We saw that it can be use for a lot of malicious purposes and it is important to put in place the means to prevent it. It is important to keep in mind that this type of attack is more and more frequently used by the cybercriminals. As we have seen, there are a number of ways to significantly limit the risks. In the event of a successful attack, we have seen that there are tools for tracing events to understand what the attacker did on our computer.
<font 18px/inherit;;inherit;;inherit>Litteratures </font>:
https://www.rsa.com/content/dam/en/case-study/asoc-drive-by-download.pdf__ : Presents the RSA Netwitness software and the procedure to follow to diagnose the attack
https://heimdalsecurity.com/blog/how-drive-by-download-attacks-work/ : Explains the behaviors to put in place to guard against drive-by download attacks
http://www.infosecwriters.com/Papers/CStevens_DriveBy.pdf :__ Presents examples of major drive-by download atacks that have occurred around the world.