Drive-by download pages are usually hosted on legitimate websites to which an attacker has posted exploit code. Attackers gain access to legitimate sites through intrusion or by posting malicious code to a poorly secured web form, like a comment field on a blog. Compromised sites can be hosted anywhere in the world and concern nearly any subject imaginable, making it difficult for even an experienced user to identify a compromised site from a list of search results. Search engines such as Bing have taken a number of measures to protect users from drive-by downloads.
One example of a drive-by download attack.
Click on the Image to Enlarge
As Bing indexes the web, pages are assessed for malicious elements or malicious behavior. Because the owners of compromised sites are usually victims themselves, the sites are not removed from the Bing index. Instead, clicking the link in the list of search results displays a prominent warning, saying that the page may contain malicious software, as shown in this figure.
A drive-by download warning from Bing.
Click on the Image to Enlarge
Most drive-by download attacks use malware distribution networks. Rather than being completely self-contained, the exploit code itself is hosted on a different web server and is exposed through the compromised web page using a technique like a URL embedded in malicious script code or an inline frame. (An inline frame, or IFrame, is used to load a separate HTML page into a window on the current page. Inline frames can be as small as a single pixel to avoid detection.) Bing security analysts locate these malicious servers and examine them with the help of other Microsoft groups, such as the CSS Security China Team.
Analyzing the URLs that host the malicious code or inline frames themselves reveals that a small number of exploit servers host the exploits used by the vast majority of drive-by download pages worldwide.
Bing works with webmasters to inform them about compromised sites through the Bing Webmaster Center and provides guidance for the removal of malicious code so that pages can be re-enabled in the index. Bing re-enables many such sites per day following requests from webmasters, indicating that such malware detection efforts can have a positive effect on the safety of websites and their customers.
Bing detects a large number of drive-by download pages each month, with several hundred thousand sites hosting active drive-by pages being tracked at any given time.
Some network operators (ISPs, data centers, backbone providers, and similar operators) are particularly prone to providing hosting services to sites containing drive-by download pages, possibly due to poor security practices. Bing works with selected national Computer Emergency Response Teams (CERTs) with which it has partnered to help network operators clean and secure their infrastructures.
Drive-By Downloads and Targeted Browsers
An analysis of the specific vulnerabilities targeted by drive-by download sites indicates that the majority of the exploits used by such malicious sites target older browsers and are ineffective against newer ones. To assess the prevalence of drive-by download attacks against older browsers, Microsoft researchers examined sites that target various versions of Internet Explorer.
Geographic Distribution of Drive-By Download Sites Malware Distribution Networks
Although Bing has detected drive-by download sites all over the world, the risk is not spread equally among Internet users worldwide. Users in some parts of the world are more at risk than in others.
Additionally, malware distribution networks tend to be moving targets, with servers constantly appearing and disappearing in different locations. As malware distribution servers get blocked by services such as Bing, they lose their effectiveness, and attackers move them elsewhere.
Was the information in this article helpful?