Can You Get Malware Just by Visiting a Website?
Every once-in-a-while we read an article that contains information that can help keep you safe on the web. The following article was written by Jareth for the Emsisoft blog. It’s not written in geeky-speaky, it’s written in plain English and easy-to-understand. You’ll learn what drive-by downloads are and how they work – and how to protect yourself from them.
We have always thought that one of the most important things you can do to keep yourself from getting into trouble on the web is learning more about it and staying informed. It is to that end we publish the following Emsisoft article.
Thank you to our friends at Emsisoft for allowing us to share this excellent article with all of you.
Drive-by downloads: Can you get malware just from visiting a website?
Written by Jareth – Emsisoft Blog
Most malware infections rely on you clicking something malicious. But with drive-by downloads, you can get infected without even laying a hand on your mouse – all it takes is for you to visit a compromised website.
Learn how drive-by downloads work and what you can do to protect your system against this sneaky threat.
There are dozens of ways malware can get onto your system. In most cases, infections involve a user-initiated action, like opening a malicious attachment or executing a .exe file acquired from some sketchy corner of the Internet.
In other cases, you can get infected with malware even without opening a file or downloading anything malicious – all it takes is for you to visit a compromised website.
In this article, we’ll show you exactly how drive-by downloads work and how you can protect yourself from this threat.
What is a drive-by download?
A drive-by download refers to the download of malicious software to your device without your consent. Unlike other types of malware that usually rely on tricking you into clicking on a malicious link or downloading a malicious file, drive-by downloads can occur without any user interaction. Drive-by downloads can take place on attacker-owned websites, on legitimate websites that have been compromised, and through malicious advertisements displayed on otherwise safe sites.
In other words, yes: you can get malware just from visiting a website.
Most types of drive-by downloads work by exploiting known vulnerabilities in your operating system, web browser and browser plugins. These security flaws usually only exist due to poor cybersecurity practices – many businesses and home users delay applying vital security patches, which gives attackers a window of opportunity to exploit known vulnerabilities.
What is an exploit kit?
Drive-by download attacks usually involve the use of an exploit kit. An exploit kit is a pre-packaged collection of exploits that attempt to automatically infect targets using a variety of different attack methods.
Exploits kits are designed to be simple to use and often come loaded with features such as a management console, add-on functions and technical support, which make it easy for cybercriminals of all levels of technical literacy to launch a campaign. The creators of exploit kits can generate substantial profits by renting their exploit kits to other cybercriminals – a model sometimes described as exploit-kits-as-a-service. The most highly sought after exploit kits can cost thousands of dollars per month.
Most modern exploit kits work by scanning a website visitor’s system – operating system, IP address, browser, plugins and more – to determine which systems are vulnerable to compromise. The exploit kit then automatically selects an attack method according to the vulnerability that has been identified and triggers the sequence of events that leads to the delivery of the malicious payload.
How do drive-by downloads work?
The following describes the typical anatomy of a drive-by download attack:
1. Exploit kit deployment: Threat actors deploy an exploit kit on their own server, on a compromised legitimate website or through third-party advertising services.
2. Contact: In order to spread the malicious content, adversaries must drive traffic to the exploit kit landing page. Traffic generation methods vary depending on where the exploit is deployed:
- Attacker’s server: Attracting visitors to a new website can be challenging, so email or social media phishing campaigns may be used to generate traffic.
- Legitimate website: Legitimate websites already have their own sources of traffic, which reduces the difficulty of attracting potential victims.
- Malvertisement: The malicious content is spread through advertising services, whose ads may be displayed across the web on legitimate sites.
3. Fingerprinting: When a visitor lands on the exploit kit landing page, the exploit kit analyzes the fingerprint of the user’s device to identify potential vulnerabilities in the user’s software stack and determine if they’re a suitable target.
4. Exploitation: If the user is deemed to be an appropriate target, the exploit kit automatically exploits the detected vulnerabilities to initiate the drive-by download. Targets with no suitable vulnerabilities may be ignored or redirected to a landing page that uses social engineering tactics to dupe the user into downloading malware.
5. Execution: The malicious file is executed. Often, this is a multi-stage attack, whereby the initial drive-by download is used to deploy other types of malware. Obfuscation methods are typically used to prevent detection throughout the attack.
What type of malware can be installed in a drive-by download attack?
Adversaries use drive-by downloads as a way of establishing control of a device. Because no user interaction is required, drive-by downloads can be an effective way for threat actors to quietly gain access to a device and use the initial infection as a springboard to perform further malicious activity.
Exactly what type of malware is delivered in a drive-by download depends on the objective of the attack. In some instances, the drive-by download is the objective. In other cases, the drive-by download is simply the first phase in a multi-stage attack – an opportunity for attackers to gain a foothold in the target environment before making their next move.
With this in mind, drive-by downloads can ultimately be used to deploy almost any type of malware, including ransomware, keyloggers, backdoors and more.
How Emsisoft protects you from drive-by downloads
If you’re an Emsisoft user, you can rest assured that you’re fully protected from drive-by downloads, thanks to a number of powerful protection technologies that work in synergy to keep you safe from online threats.
At the outer perimeter, Web Protection and Emsisoft Browser Security prevent you from connecting to malicious websites using a huge database of continually updated malicious hosts. In the event that you do happen to stumble onto an exploit kit landing page, our Behavior Blocker will automatically intercept exploit attempts and stop downloaded files from attempting to execute – including malicious files that have never been seen before. Our File Guard component will also intercept any drive-by download that has an existing signature.
Taking a multi-layered approach to security provides multiple opportunities to neutralize drive-by downloads before they can make any changes to your device.
More tips on how to prevent drive-by downloads
The following best practices can be useful for reducing the risk of drive-by download attacks:
1. Install security updates promptly: As discussed earlier, most drive-by download attacks work by exploiting known security flaws. Mitigate this risk by always installing security updates for your web browser, extensions, operating system and other applications as soon as the patches are available.
2. Avoid sketchy websites: While a drive-by download could theoretically happen anywhere on the web, you’re more likely to experience an attack on websites that deal in piracy and mature content. Reduce the risk of infection by sticking to trustworthy and well-established sites.
3. Remove unused apps: Shrinking your attack surface reduces the risk of infection. Take a few minutes to review your applications and browser extensions and uninstall anything that you rarely use or which looks unfamiliar. Applications that no longer receive updates are particularly risky and should be removed.
4. Beware of phishing: Adversaries will sometimes use phishing to drive traffic to a malicious landing page that contains an exploit kit. Familiarize yourself with phishing language, be wary of unsolicited emails that try to convey a sense of urgency and always double-check URLs before clicking on anything. See this blog post for more information on preventing phishing attacks.
5. Use an ad blocker: Drive-by downloads are frequently distributed via ad networks. An effective way to block this attack vector is to install a reputable ad blocker.
It’s true that you can get malware just from visiting a website. Through the use of exploit kits hosted on malicious or compromised legitimate websites, threat actors can launch drive-by download attacks that deliver malware without you even laying a hand on your mouse.
Keeping your applications up to date, using good antivirus software, installing an ad blocker and being mindful of phishing attempts can greatly reduce the risk of falling victim to a drive-by download attack.
Again, thanks to the Emsisoft team for allowing us to share this article with you. If you’re interested in learning more about Emsisoft Anti-Malware, please see this page.