Six ways to defend against drive-by downloads

In the first quarter of 2011, enterprise users encountered an average of 274 web-based malware attacks, a 103 percent increase over 2010, according to research from Cisco ScanSafe. Why the dramatic increase? One major cause is the growing number of drive-by download attacks. Drive-by downloads are an especially pernicious method cybercriminals use to install viruses and spyware, and otherwise take control of unsuspecting end users' computers.

Drive-by downloads are particularly dangerous because they're so stealthy: As their name suggests, they automatically install software on end users' computers without them knowing.

"Anytime someone else gets to decide what software, what code is running on your computer, then your computer--all the information on it and everything on the network that is connected to it--is at risk," says Daniel Peck, a research scientist with Barracuda Networks' Barracuda Labs.

Indeed, half of all businesses surveyed by Kaspersky Labs in 2011 that had been infected with some kind of malware experienced data loss from the attack.

How Drive-by Downloads Attack

Drive-by downloads work by exploiting vulnerabilities in web browsers, plug-ins or other components that work within browsers, says Peck. And they can take place a number of ways. For example, you can be innocently cruising the Web when you happen upon a site that downloads malware onto your computer. The site could have been set up by cybercriminals, specifically for the purpose of infecting people's computers, or it could be a legitimate website that cybercriminals compromised through existing vulnerabilities in the site. Dasient, a company that makes software to prevent Web-based malware attacks, notes that nearly 4 million web pages across more than 400,000 websites are infected with malware each month.

Another common way drive-by downloads are distributed is through advertising networks. In 2009, The New York Times was tricked into running an ad for bogus antivirus software that bombarded people who clicked on the ad with pop-ups prompting them to fork over their credit card information to pay for the fake program. Google's and Microsoft's online ad networks fell for a similar trick the following year. Andrew Brandt, director of threat research for Solera Networks' Research Labs, says criminals are still trying to use ad networks to distribute malware because the ad networks make it so easy for them to get their exploits out to so many people.

Occasionally a drive-by download will prompt users to take an action that allows malicious software to take over their machines. The most common example of this today is rogue anti-virus software. You'll visit a web page when suddenly a pop-up window that looks like a legitimate anti-virus program appears on your computer, indicating that it's detected a virus and asking you to click for a free virus scan.

While rogue anti-virus software and exploits like it are a real danger, they aren't the biggest threat because IT departments can educate end users to not fall into the trap. "Only some of the [drive-by download] attacks rely on people to accidentally click something," says Brandt. "The ones that are completely independent of user interaction are the most devastating."

Barracuda Labs' Peck estimates that one out of every 1,000 Web pages that people visit are malicious in some way and attempt to perform some sort of exploit on users.

"Drive by downloads can strike without warning, and only some of them are avoidable. An increasing number are not avoidable," Brandt says.

What's Causing the Surge in Drive-by Downloads?

Brandt, Peck and other security experts say drive-by downloads are occurring much more frequently. "There's certainly been a rise in their popularity lately," says Peck.

Drive-by downloads are proliferating because the exploit kits that allow cybercriminals to compromise websites are readily accessible on the black market, according to Brandt. The exploit kits are also highly refined and automated, which makes it easy for cybercriminals to distribute them across as many web servers as possible, he adds.

The growing complexity of browser environments is also contributing to the spread of drive-by downloads. As the number of plug-ins, add-ons and browser versions expands, there are more weaknesses for cybercriminals to exploit and add to their kits, says Peck.

"Through creative and malicious use of JavaScript and other scripting components, malicious actors can make those vulnerabilities exploitable and make them do what they want so they can run whatever code they want [on your machine]," Peck adds.

The malware cybercriminals install through drive-by downloads ranges from viruses that crash users' computers to malicious PHP scripts that start and stop applications and browse file systems, says Brandt. Drive-by downloads can also install spyware, remote-access software, key-logging software and Trojans capable of extracting information from computers in seconds. They can turn computers into botnets or make them part of a distributed denial-of-service attacks (DDoS).

Jeff Schmidt, CEO of security consultancy JAS Global Advisors, says he doesn't see the problem of drive-by downloads abating anytime soon. "Now, with HTML5, the boundaries around the browser are lessening, so I expect more of this will happen in the future," he says.

In the meantime, drive-by downloads are a nagging headache for tech support groups and for the users whose computers and productivity they cripple. However, while drive-by downloads will continue to create chaos for unsuspecting end users, IT departments can take actions to defend against these stealth attacks.

6 Ways to Protect Employees from Drive by Downloads

1. Encourage employees to keep their software up to date. Peck, Brandt and Schmidt agree that the single most important measure IT departments can take to protect users from drive-by downloads is to encourage them to keep all of their software up to date, especially their antivirus software, their browsers, and all of their add-ons and plug-ins, including Java, Flash and Adobe Acrobat.

Ensuring that employees are using the latest versions of their browsers and extensions is critical because so many employees run a few versions behind the latest releases and because most drive-by downloads exploit known vulnerabilities inside older versions of browsers and plug-ins. Adobe Acrobat is the most commonly outdated plug-in, according to Zscaler ThreatLabs. It's also heavily exploited by malware makers.

Installing software updates can strike end-users as a nuisance, and because updates (especially on Windows machines) seem to pop up at random, interrupting someone's work, they are often ignored. IT departments need to remind end users that taking five minutes to install those updates will dramatically decrease their odds of getting a virus through a drive-by download that could impede their productivity for a day.

2. Install web-filtering software. Web-filtering products can potentially prevent people from going to sites compromised by drive-by downloads, says Peck. They may have mechanisms built in to them that allow them to detect if a site is unsafe, and if so, to prevent users from going there, he says. Some look for known exploits and known indicators of drive-by downloads. Others have heuristics built into them that help determine if a site is safe.

3. Install NoScript on your Firefox browser. NoScript is a free, open source add-on that allows only trusted websites that you choose to run JavaScript, Java and Flash. Brandt says running Firefox with NoScript prevents "a lot" of drive-by downloads. "As far as I can tell, it's the only surefire method of preventing an accidental infection of a Windows PC by exploit-kitted web pages," he wrote on Solera Networks' blog last December.

4. Disable Java. Brandt urges users to disable JavaScript within PDF documents in their PDF reader's preferences. He also recommends that IT departments uninstall Java from any system they control, at least until a patch is released to address CVE-2011-3544, a malicious Java applet stored within a Java Archive file that allows an unsigned applet to potentially have unrestricted access to run arbitrary Java code.

5. Keep tabs on BLADE. BLADE, which stands for Block All Drive-By Download Exploits, is an emerging Windows immunizations system that prevents drive-by download exploits from infecting vulnerable Windows machines. It's being developed by researchers at Georgia Tech and SRI International. BLADE v1.0, a free research prototype, will soon be available for download.

6. Don't give users admin access to their computers. When provisioning computers to end users, sophisticated IT shops set up employees with standard user accounts, says JAS Global Advisors' Schmidt. They don't give end users local administrative access to their computers.

"It used to be standard practice for everyone to have local admin access to their computers," says Schmidt. "It made things easier with respect to installing drivers, but it also meant that any malicious software had access to the computer."

Limiting end users' administrative access to the computer mitigates the damage malware can do, adds Schmidt. "If I happen to open a browser when I'm logged in and download something bad, the scope of the damage is limited to the user context. It doesn't own the machine."