Mapping the route to drive-by download mitigation
An earlier blog of mine in this series examined the history of the phishing threat and some key mitigation techniques. Drive-by downloads seem to me to be linked to phishing in so many ways, not least because phishing emails are often used as a kind of threatscape satnav, directing victims to their malware-ridden destination. There's also the fact that combining drive-by downloads (16.6%) and phishing (37.4%) accounts for some 54% of all security incidents, according to research cited in LOGICnow’s Cyber Threat Guide.
Coincidentally, we can also trace the roots of drive-by downloads back to 1996; the same year that most industry experts agree that phishing became a thing. In the case of drive-by downloads though this had little to do with the emergence of the phishing threat, and everything to do with the introduction of ActiveX controls in the Internet Explorer 3 web browser client. These controls enabled automatic downloads, and so also enabled the bad guys to equip themselves with yet another malware distribution route.
ActiveX and the dawn of the drive-by
Not that I can actually say there were drive-by downloads - as we know them today - happening back in 1996, at least not recorded as such. I'm pretty sure that the IE3 ActiveX controls were the catalyst, and can recall speaking to some hackers at the time who were more than a little excited about the potential of the technology as a malware distribution methodology.
But if IE3 was the catalyst, the true tipping point into the big time of cybercrime would have to wait for 10 years and the release of the first web exploit kits – such as MPack and WebAttacker – in 2006. These kits bundled together the various scripts and tools needed to launch drive-by attacks without requiring the attacker to be an expert hacker. By making it easier to carry out such an attack, popularity was guaranteed; and popular they soon became.
Web exploit kits continue to evolve, but the presence of the drive-by download at the core of the bulk of attacks remains to this day. However, the main difference is that they are now even easier to use, thanks to integrated interfaces and even licensed support. They are also cheap and, if you know where to look, plentiful. The end result is a steady stream of victims whose computers and networks are infected with malware through stealthy means.
The rise of malvertising
I have seen figures from security researchers that suggest more than four million web pages, across half a million websites, are newly infected with malware every month. And that's without including the malvertising distribution route that exploits infected and rogue advertising networks to deliver malicious payloads when users click on seemingly legitimate adverts.
Another common route for drive-by downloads is the antivirus pop-up. Visits to infected or rogue sites will trigger a pop-up warning that your computer is infected and offering a free scan or software to fix it. That click actually installs malware rather than removes it, and the rest is obvious.
These are not the biggest drive-by threats though, as they require a positive user action to execute. The biggest threats are the ones independent of any such user interaction, and that's where the exploit kits come to the fore once more.
So what can the MSP and IT Admins offer by way of mitigation strategy when it comes to dealing with the drive-by download threat? Rather a lot, as it happens… here are five tips to get you started:
|Five top tips on defending against drive-by downloads|
Find out more about how to defend against this type of attack and what tools you need to protect your networks by downloading our free Cyber Threat Guide.