Cyber Tradecraft; Defending Against Drive-by Downloads

Imagine this… You’re perusing the ancient and colourful Grand Bazaar in Istanbul, feeling overwhelmed by all the interesting sights, sounds, and smells. An excited and charismatic shop owner...

1340911083-drive-by-shooting-credited-300x215

Imagine this… You’re perusing the ancient and colourful Grand Bazaar in Istanbul, feeling overwhelmed by all the interesting sights, sounds, and smells. An excited and charismatic shop owner waves you over to his wares, enticing you to contemplate the colourful baubles he has on display. As you’re thus distracted, a quiet, inconspicuous character jostles you lightly from behind, whispering an apology as she hurries past. You walk away from the ordinary encounter perfectly unaware that she also planted a powerful bug on your person, and can now track your every move, and monitor whatever you do, potentially using this newfound power to swipe the confidential documents you have holed up in your hotel safe.

You’re probably thinking, the description above sounds a lot like the fantastical tales you’ve read about in pulpy spy novels. Yet, it is surprisingly close to what the average user risks every day while browsing web sites online—the risk of the drive-by download.

Drive-by download? Sounds like something cyber gangs do in South Central.

In case you haven’t heard the term before, a drive-by download (DbD) is a class of cyber attack where you visit a booby-trapped web site and it automatically, and silently, downloads and executes malicious code on your computer.

By default, web sites can’t just download and run code on your computer, so a successful DbD attack relies on some sort of programmatic flaw or vulnerability in the software you use to surf the web.  For instance, browsers like Internet Explorer (IE), Firefox, Safari, and Chrome make the most obvious targets. However, nowadays most users install many other web-related products, which attackers can exploit in DbD attacks. For instance, products like Java, Flash, Shockwave, Reader, QuickTime, and many others insert plugins into your web browser, which allows them to render the dynamic content you encounter when visiting modern web sites. The problem is these plugins also give attackers access to this software as well—providing more attack surface opportunities.

In short, if an attacker can find any vulnerability in the diverse software-set you use to browse the web, and he can entice you to a web site containing a bit of malicious code, he can exploit these flaws to force your computer to infect itself with malware without you even knowing it. Much like the fictional spy scene in the Turkish market, by luring you to a special place and distracting you, these network criminals can quietly compromise you behind your back.

How do hackers get me to malicious sites?

“But wait a second,” you might exclaim, “I’m not naive enough to visit suspicious web sites on the Internet. They can’t infect me if they can’t get me there, right?”

Of course, you are correct. Unless an attacker can get you to his booby-trapped web site, his DbD attack will not succeed. However, you might be surprised at how easy it is to lure victims to booby-trapped sites today.

Lets start with the old, tried-and-true techniques. In the past, you might have heard security professionals warn you against visiting the seedier side of the Internet. Just like in the red-light districts found in the real world, lots of questionably legal activities happen in some of sleazier parts of the Internet. Sites catering to pornography, software piracy, drugs sales, and more, often partner with cyber criminals (knowingly or unknowingly), and serve up malware to their visitors via DbD attacks. Anytime you see something shady offered for free on the Internet, chances are you’ll pay in ways you don’t quite know.

Another way to get victims to malicious sites is just to invite them to visit. Cyber criminals use every Internet messaging mechanism they can to spam out links to their malicious pages. They send emails, instant messages (IMs), or post to social networks, sharing links that go direct to booby-trapped websites. Of course, they dress up their message in some way to get you interested, citing the latest pop culture event, or pretending to be your friend sharing a fun link. They also often use link-shortening services to make their malicious links seem more benign. Since many users still don’t realise web links can be dangerous, many fall for the bait and click the link for an unwelcome surprise.

However, the most nefarious way to draw victims to booby-trapped DbD web sites is the watering hole attack, a three phase attack where the attacker focusses on a particular group and observes which websites the group frequents. The attacker infects those websites with malware so eventually some of the targeted group members get infected.   All the methods described previously depend on getting someone to a site that they may not visit on their own accord… but what if you could hijack a site they frequented regularly? Just like the lions stalking prey in the Savannah, hackers know that if they can poison your favorite “watering hole” web site, you’ll surely stumble upon their DbD code. The attackers search for web application vulnerabilities in popular and legitimate web sites, such as SQL injection (SQLi) and cross-site scripting (XSS) flaws, then exploit these problems to inject malicious code into the legitimate site, redirecting anyone who visits the site to malicious DbD code.

In the past, I could warn you against visiting sordid web sites to avoid DbD attacks. However, today any site on the Internet—even the ones you trust the most—may have been hijacked and could be hiding a drive-by download.

Drive-by download defense and “tradecraft”

Part of being a good spy is understanding your adversary’s techniques, and then learning the tradecraft that can protect you in the field. Now that you know what a drive-by download is, and how they work, here’s a few cyber tradecraft tips that will protect you online:

  • Patch, patch, and then patch some more – In “computer-ese,” patching means to apply the latest updates to your computer software. As mentioned, web sites can’t forcefully download software to your computer unless they can take advantages of programming flaws in the software you run. Many of the DbD attacks seen in the wild exploit flaws that vendors have already fixed. If you keep your software up to date, most of attacks will fail. Obviously patch you web browser, but also know hackers are focusing on exploiting Java and Flash vulnerabilities lately. You should patch these packages just as aggressively as the browser itself. In fact, I would recommend disabling Java if you can.
  • Don’t click unsolicited links – Simply put, avoid clicking unsolicited links sent to you via email and IM. I probably can’t convince you not to click on links from your friends (or ones that seem like they come from your friends), but at least remain wary of them, and look at the URL for the link before clicking it. I would also be careful around shortened links, and leverage tools to expand and preview these links before following them. Here’s a quick tip; if you add a “+” character to the end of a bit.ly link, you will see a preview of the actual URL before visiting it.
  • Use antivirus (AV) and intrusion prevention (IPS) – While vigilance and good practices can help you avoid many attacks, no one is perfect. There will be a day that even the best of us stumble on DbD attack sites. IPS systems can frequently detect the network exploits these attacks leverage, and AV systems can often recognise the malicious payloads they try to silently download. Use AV and IPS systems, and keep them up to date. By the way, Unified Threat Management (UTM) solutions and Next Generation Firewalls (NGFW) can make these security systems easy to manage for business.
  • Use reputation-based web-filtering solutions – The malicious sites that serve DbD attacks change quite frequently, as do the legitimate sites that have been hijacked. Security organisations and vendors, like WatchGuard, use many automated techniques to keep track of the latest malware distributing sites, and offer reputation services that can keep you and your users away from them. You should consider using web-filtering solutions to help you avoid dangerous sites on the Internet.
  • Pro-tip: Limit web-based scripting with NoScript (and others) – Without going into all the technical details, know that many DbD attacks rely on web scripting languages, such as JavaScript and ActiveX, to carry out their attacks. Disabling these scripting technologies would block a huge majority of DbD attacks. Unfortunately, it’s not quite that simple. Many legitimate web sites also use these scripting languages for perfectly normal aspects of their web site. That’s why I recommend script whitelisting technologies like Firefox’s NoScript or Chrome’s NotScripts or Click-to-Play. These plugins will prevent scripts and some dynamic web content from running by default, but also allow you to easily whitelist sites you trust.

Black hats have become extremely sneaky and sophisticated in their cyber attacks. Drive-by downloads have become the silent but deadly, de facto attack that criminals have chosen to deliver most of their malware, and watering hole attacks make providing victims child’s play. However, with a little vigilance and knowledge, anyone can avoid this web-based infection vector. Diligently apply the cyber tradecraft you learned and you’ll survive most DbD malware encounters unscathed.

Corey Nachreiner, Director of Security Strategy.

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys “modding” any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

For More information about WatchGuard visit our vendor page – www.wickhill.com/watchguard

 

In this article

Join the Conversation