Contents 1 Process 2 Detection 3 See also 4 References


Process[edit] When creating a drive-by download, an attacker must first create their malicious content to perform the attack. With the rise in exploit packs that contain the vulnerabilities needed to carry out drive-by download attacks, the skill level needed to perform this attack has been reduced. [3] The next step is to host the malicious content that the attacker wishes to distribute. One option is for the attacker to host the malicious content on their own server. However, because of the difficulty in directing users to a new page, it may also be hosted on a compromised legitimate website, or a legitimate website unknowingly distributing the attackers content through a third party service (e.g. an advertisement). When the content is loaded by the client, the attacker will analyze the fingerprint of the client in order to tailor the code to exploit vulnerabilities specific to that client. [4] Finally, the attacker exploits the necessary vulnerabilities to launch the drive-by download attack. Generally, drive-by downloads use two strategies. The first strategy is exploiting API calls for various plugins. For example, the DownloadAndInstall API of the Sina ActiveX component did not properly check its parameters and allowed the downloading and execution of arbitrary files from the internet. The second strategy involves writing shellcode to memory, and then exploiting vulnerabilities in the web browser or plugin to divert the control flow of the program to the shell code. [4] After the shellcode has been executed, the attacker has the ability to perform further malicious activities. This could include stealing information to send back to the attacker, but generally involves downloading and installing malware. [3] In addition to the outlined process above, the attacker may also take measures to prevent detection throughout the attack. One method is to rely on the obfuscation of the malicious code. This can be done through the use of IFrames. [3] Another method is to encrypt the malicious code to prevent detection. Generally the attacker encrypts the malicious code into a ciphertext, then includes the decryption method after the ciphertext. [4]


Detection[edit] Detection of drive-by download attacks is an active area of research. Some methods of detection involve anomaly detection, which tracks for state changes on a user’s computer system while the user visits a webpage. This involves monitoring the user’s computer system for anomalous changes when a web page is rendered. Other methods of detection include detecting when malicious code (shellcode) is written to memory by an attacker’s exploit. Detection methods also include making run-time environments that allow JavaScript code to run and track its behavior while it runs. Other detection methods include examining contents of HTML pages to identify features that can be used to identify malicious web pages, and using characteristics of web servers to determine if a page is malicious.[3] Furthermore, some antivirus tools use static signatures to match patterns of malicious scripts, although these are not very effective because of obfuscation techniques. Finally, detection can also be conducted by using low-interaction or high-interaction honeyclients.[4]


See also[edit] Malvertising Page Hijacking BLADE Mac Flashback Windows Metafile Vulnerability Dropper (malware)


References[edit] ^ "Exploit on Amnesty pages tricks AV software". The H online. Heinz Heise. 20 April 2011. Retrieved 8 January 2011.  ^ Olsen, Stefanie (8 April 2002). "Web surfers brace for pop-up downloads". CNET News. Retrieved 28 October 2010.  ^ a b c d e Le, Van Lam; Welch, Ian; Gao, Xiaoying; Komisarczuk, Peter (2013-01-01). "Anatomy of Drive-by Download Attack". Proceedings of the Eleventh Australasian Information Security Conference - Volume 138. AISC '13. Darlinghurst, Australia, Australia: Australian Computer Society, Inc.: 49–58. ISBN 9781921770234.  ^ a b c d Egele, Manuel; Kirda, Engin; Kruegel, Christopher (2009-01-01). "Mitigating Drive-By Download Attacks: Challenges and Open Problems". iNetSec 2009 – Open Research Problems in Network Security. Springer Berlin Heidelberg. pp. 52–62. doi:10.1007/978-3-642-05437-2_5.  Retrieved from "https://en.wikipedia.org/w/index.php?title=Drive-by_download&oldid=806082315" Categories: Computer security exploitsComputer virusesHidden categories: Use dmy dates from June 2011


Navigation menu Personal tools Not logged inTalkContributionsCreate accountLog in Namespaces ArticleTalk Variants Views ReadEditView history More Search Navigation Main pageContentsFeatured contentCurrent eventsRandom articleDonate to WikipediaWikipedia store Interaction HelpAbout WikipediaCommunity portalRecent changesContact page Tools What links hereRelated changesUpload fileSpecial pagesPermanent linkPage informationWikidata itemCite this page Print/export Create a bookDownload as PDFPrintable version Languages CatalàDeutschEspañol한국어日本語PortuguêsSvenska中文 Edit links This page was last edited on 19 October 2017, at 15:38. Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization. Privacy policy About Wikipedia Disclaimers Contact Wikipedia Developers Cookie statement Mobile view (window.RLQ=window.RLQ||[]).push(function(){mw.config.set({"wgPageParseReport":{"limitreport":{"cputime":"0.108","walltime":"0.137","ppvisitednodes":{"value":418,"limit":1000000},"ppgeneratednodes":{"value":0,"limit":1500000},"postexpandincludesize":{"value":8098,"limit":2097152},"templateargumentsize":{"value":180,"limit":2097152},"expansiondepth":{"value":12,"limit":40},"expensivefunctioncount":{"value":1,"limit":500},"entityaccesscount":{"value":0,"limit":400},"timingprofile":["100.00% 111.881 1 -total"," 87.60% 98.009 1 Template:Reflist"," 56.56% 63.283 2 Template:Cite_web"," 12.34% 13.805 1 Template:Use_dmy_dates"," 8.33% 9.323 1 Template:DMCA"," 7.15% 7.996 1 Template:Dated_maintenance_category"," 7.14% 7.989 1 Template:Cite_journal"," 6.25% 6.995 1 Template:Cite_book"," 4.73% 5.289 1 Template:FULLROOTPAGENAME"," 3.28% 3.674 1 Template:Ns_has_subpages"]},"scribunto":{"limitreport-timeusage":{"value":"0.044","limit":"10.000"},"limitreport-memusage":{"value":2214634,"limit":52428800}},"cachereport":{"origin":"mw1187","timestamp":"20171202181829","ttl":1900800,"transientcontent":false}}});});(window.RLQ=window.RLQ||[]).push(function(){mw.config.set({"wgBackendResponseTime":87,"wgHostname":"mw1262"});});


Drive-by_download - Photos and All Basic Informations

Drive-by_download More Links

DownloadComputerSoftwareInternetExecutable ProgramActiveXJava (software Platform)DownloadComputer VirusSpywareMalwareCrimewareWebsiteVulnerability (computing)Installation (computer Programs)Third-party Software ComponentDevice FingerprintApplication Programming InterfacePlug-in (computing)ActiveXShellcodeShellcodeMalwareObfuscation (software)IframesCiphertextCiphertextAnomaly DetectionShellcodeJavaScriptAntivirus SoftwareObfuscation (software)Client HoneypotMalvertisingPage HijackingBLADE (software)Trojan BackDoor.FlashbackWindows Metafile VulnerabilityDropper (malware)References To HamletHeinz HeiseCNETInternational Standard Book NumberSpecial:BookSources/9781921770234Digital Object IdentifierHelp:CategoryCategory:Computer Security ExploitsCategory:Computer VirusesCategory:Use Dmy Dates From June 2011Discussion About Edits From This IP Address [n]A List Of Edits Made From This IP Address [y]View The Content Page [c]Discussion About The Content Page [t]Edit This Page [e]Visit The Main Page [z]Guides To Browsing WikipediaFeatured Content – The Best Of WikipediaFind Background Information On Current EventsLoad A Random Article [x]Guidance On How To Use And Edit WikipediaFind Out About WikipediaAbout The Project, What You Can Do, Where To Find ThingsA List Of Recent Changes In The Wiki [r]List Of All English Wikipedia Pages Containing Links To This Page [j]Recent Changes In Pages Linked From This Page [k]Upload Files [u]A List Of All Special Pages [q]Wikipedia:AboutWikipedia:General Disclaimer



view link view link view link view link view link