“Drive-by attacks” or “Drive-by downloads” are a common way to distribute malware to victim clients. Attackers search for insecure websites and position their malicious code into the HTTP or PHP code. Either this code will install malware onto the victims computer directly or it will redirect the victim to another site – which is controlled by the attackers – via an iframe. Usually the code is written in a way, that makes it harder for security personnel to analyze it. This form of attack is called Drive-By, because no action of the user is required visiting the compromised website. This attack only works if the users browser and operating system have open security vulnerabilities. For the attack usually dynamic functions and technologies like JavaScript, Ajax, Java, Adobe Flash are used. Those allow to update websites without action of the user by continuous communication of the client and server. Normally this tasks run in a so called Sandbox. By exploiting security issues though, the attackers can break out of the Sandbox and access the client system directly.
Needed for the attack:
- An insecure website
- An insecure browser and/or operating system of the user
Solution:
- Close security vulnerabilities of websites
- Keep user systems up to date
- Only get updates and plugins from official sources
- Use plugins that block certain types of scripts or ask for allowance first (for example “NoScript”, “uMatrix” or “Flashblock”)
- Using a sandbox