The Drive-By Download Threat is Everywhere

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

There are two scary things about drive-by downloads. One is that the victim has to do nothing except visit the infected site to be at risk. The other is that many of the sites carrying the malware have themselves been hijacked and are otherwise legitimate.


Put the two things together, and drive-by downloads are terrifying.


Unfortunately, such sites are becoming more common. InfoWorld says that Google crawled billions of Web address during the past year and found 3 million such pages. In the final analysis, the story says, one in every one thousand pages may have been infected -- including the site for Al Gore's "An Inconvenient Truth," the home page of the Miami Dolphins and Alicia Keyes' MySpace profile.


The commentary describes how drive-by downloads work. When a visitor arrives at an infected site, the crackers' software looks for programming errors. In many cases, the story says, an invisible iFrame directs the victim to a malicious site that tries to install bad code on the victim's machine. The goal of the Google project is to warn folks about such sites.


Google found a couple of interesting things about drive-by downloads. Sites with adult content appear to be only marginally more dangerous than more legitimate sites. The company says that 67 percent of dangerous sites are in China, 15 percent are in the United States, 4 percent are in Russia, 2.2 percent are in Malaysia and 2 percent are in Korea.


This link provides more detailed information on the Google study and a link to a technical report. The link contains a graph showing the growth of the problem between April 2007 and last month. The link -- which reads like an executive summary of a much longer report -- says that during the past several months, more than 1 percent of all search results contained at least one site that appeared to be infected.


This blog provides more details on what a drive by download is. The writer says that these attacks can either be caused by the browser itself or a component involved in rendering the content. This can be a multimedia plug-in or a scripting engine. The writer says that drive-by downloads are particularly pernicious because they are hard to stop without impacting the functionality associated with the Web and because they simply are difficult to avoid, since they lurk within legitimate sites.


Google is not the only company that sees danger. This Real Time Community post says that Sophos is finding 6,000 infected sites daily, with 83 percent belonging to innocent companies whose sites were commandeered. Symantec takes the micro view, singling out a particular case. In that instance, an e-mail is sent with the URL saying that recipient has an e-card waiting. The e-mail also contains an HTML IMG tag that, the piece says, results in an HTTP GETequest that modifies the router's DNS settings. The result was that the requests for the URL for a Mexican banking site and related domains would be redirected to the attackers site. http://anti-virus-rants.blogspot.com/2007/11/what-is-drive-by-download.html


Two cases in point are Expedia.com and Rhapsody.com. Within the last month, according to SC Magazine, both distributed malware to visitors through banner advertisements that used Flash to pass the bad code. The story has the complex details on the ways in which the ads were propagated. The ads combined social engineering and drive-by downloads in a way that appears to be extremely difficult to counteract.