Mapping the route to drive-by download mitigation

Davey Winder

An earlier blog of mine in this series examined the history of the phishing threat and some key mitigation techniques. Drive-by downloads seem to me to be linked to phishing in so many ways, not least because phishing emails are often used as a kind of threatscape satnav, directing victims to their malware-ridden destination. There's also the fact that combining drive-by downloads (16.6%) and phishing (37.4%) accounts for some 54% of all security incidents, according to research cited in LOGICnow’s Cyber Threat Guide.

Coincidentally, we can also trace the roots of drive-by downloads back to 1996; the same year that most industry experts agree that phishing became a thing. In the case of drive-by downloads though this had little to do with the emergence of the phishing threat, and everything to do with the introduction of ActiveX controls in the Internet Explorer 3 web browser client. These controls enabled automatic downloads, and so also enabled the bad guys to equip themselves with yet another malware distribution route.

ActiveX and the dawn of the drive-by

Not that I can actually say there were drive-by downloads - as we know them today - happening back in 1996, at least not recorded as such. I'm pretty sure that the IE3 ActiveX controls were the catalyst, and can recall speaking to some hackers at the time who were more than a little excited about the potential of the technology as a malware distribution methodology.

But if IE3 was the catalyst, the true tipping point into the big time of cybercrime would have to wait for 10 years and the release of the first web exploit kits – such as MPack and WebAttacker – in 2006. These kits bundled together the various scripts and tools needed to launch drive-by attacks without requiring the attacker to be an expert hacker. By making it easier to carry out such an attack, popularity was guaranteed; and popular they soon became.

Web exploit kits continue to evolve, but the presence of the drive-by download at the core of the bulk of attacks remains to this day. However, the main difference is that they are now even easier to use, thanks to integrated interfaces and even licensed support. They are also cheap and, if you know where to look, plentiful. The end result is a steady stream of victims whose computers and networks are infected with malware through stealthy means. 

The rise of malvertising

I have seen figures from security researchers that suggest more than four million web pages, across half a million websites, are newly infected with malware every month. And that's without including the malvertising distribution route that exploits infected and rogue advertising networks to deliver malicious payloads when users click on seemingly legitimate adverts.

Another common route for drive-by downloads is the antivirus pop-up. Visits to infected or rogue sites will trigger a pop-up warning that your computer is infected and offering a free scan or software to fix it. That click actually installs malware rather than removes it, and the rest is obvious. 

These are not the biggest drive-by threats though, as they require a positive user action to execute. The biggest threats are the ones independent of any such user interaction, and that's where the exploit kits come to the fore once more.

Throw in the fact that browser clients are pretty complex pieces of software these days, and that we are all guilty of being plugin junkies, then the boom in drive-by downloads becomes understandable. The bigger the potential for vulnerabilities, the more weaknesses can be added to the exploit kits and the worse the drive-by problem gets. Active X may well be dead, but JavaScript and assorted other scripting components are ensuring that the day of the drive-by download is far from over.

So what can the MSP and IT Admins offer by way of mitigation strategy when it comes to dealing with the drive-by download threat? Rather a lot, as it happens… here are five tips to get you started:


Five top tips on defending against drive-by downloads
  1. Don’t just think drive-by
    Apply the mitigation strategies suggested for dealing with phishing attacks and you can prevent users being directed to drive-by sites in the first place. However, remember that the malicious roadmap can take many shapes (social networks, instant messages, malvertising etc) so don't rely just on email filtering and protection.

  2. Add layers into your defence
    A layered approach to security is best positioned to act as a road block against drive-by downloads. Base this around a core of web protection, which prevents users from visiting known malicious sites, and the threat surface can be greatly diminished.

  3. Think sideways and plan ahead
    For example, ensure that users have more than one browser client option on their workstations. That way, if a “zero-day” impacting one particular client is discovered, users can be instructed to switch to an unaffected browser without causing undue workflow problems, until the patch is forthcoming.

  4. Ah yes… patching
    As most drive-by downloads rely upon there being vulnerabilities in web browsers or their plugins in order to execute, this provides us with a useful mitigation method. Keeping browser clients up to date with security patches, and only using trusted plugins (that are also kept up to date) can dramatically reduce this threat surface.

  5. And finally, reduce the administrative surface
    By removing admin privileges where not absolutely essential to workflow, organisations can prevent the majority of drive by download threats from executing successfully.


Find out more about how to defend against this type of attack and what tools you need to protect your networks by downloading our free Cyber Threat Guide.