Drive-by downloads: Stealthy downloads and Internet Explorer's new defense against them
Published: December 30, 2005
By Mark H. Walker
In a memorable moment in a recent Hollywood movie, a young lady attempts to locate an obscure lighthouse by using an Internet search engine. When she clicks on the lighthouse link, dozens of pop-ups rapidly fill her monitor’s screen. Although funny in the theater, pop-ups, or any type of malware (malicious software), is no laughing matter at home or at work. Microsoft defines malware as software applications, such as viruses, spyware, and adware, which are specifically designed to damage or disrupt a user’s system. Computer industry analysts estimate that viruses alone inflict more than 55 billion dollars of damage each year.
Despite that staggering number, viruses may not be the most dangerous threat to Internet denizens. A relatively new, insidious threat has emerged in the last couple of years—a threat called drive-by downloads.
Drive-by downloading is a catch-all name for software downloaded on your computer without your knowledge or intervention. Drive-by downloading is different than phishing, which misleads users by using authentic-appearing sites that deceive users into entering sensitive information, and different than pop-ups, which fool users into agreeing to download software. Drive-by downloads sneak onto computers without the user’s knowledge or permission.
Some of the most common drive-by download carriers are songs from free music share sites, free screensavers, etc. Many of these install spyware that monitors your surfing habits, and then displays pop-ups that match your habits. For example, if you invest a good chunk of your Internet time cruising sport sites, the spyware detects this, and it could then splash sporting apparel ads on your monitor. Drive-by downloads can also attack your computer through e-mail spam (as shown below). For this article, we will concentrate on the browsing threat and what Internet Explorer 7 does to help combat it.
What should this be? It’s genuine spam. I took the screen from my own Outlook Junk Mail folder.
Stopping the Drive-By Threat
In the past, malware could download and install by exploiting URL handling problems within the browser. Hackers would use an HTML link that referenced a URL containing unusual or excessive characters. Parsing the link would cause the user’s computer buffer to overflow and execute malicious code. A basic rewrite of the code in Internet Explorer 7 helps prevent this, providing not only greater reliability, but also more flexibility to address unforeseen changes in the Internet.
Also new to Internet Explorer 7 is code that requires browser windows, not just the main browser window, to display an address bar. This helps clamp down on the proliferation of pop-up windows that appear to be from a reputable site, yet lead instead to a less than reputable site. This, coupled with the pop-up blocker, helps put the brakes on this form of the drive-by-download.
Everything is not What it Seems
For example, say there is a thirteen-year old middle-school student with a passion for music and no money to spend on it. Hence, she scours the Internet for free music downloads. A malicious file-sharing site pops up what appears to be a reputable window for a nationally recognizable product, a window that asks for her name and mailing address. She fills in the window, and two weeks later her family’s mailbox is flooded with junk mail. This is an example of cross-domain scripting—a malicious site controlling the script from another, usually reputable, domain).
Again, Internet Explorer has taken steps to minimize this form of malicious invasion by recoding Internet Explorer to increase assurance that domains can only control their own sites. By doing so, the program reduces the misbehaving Web page’s chance of accessing the reputable site.
What You Don’t Know Can Hurt You
Of course the classic type of drive-by-download is the download that enters your computer without deception and without your permission. Many of these downloads enter as riders on downloaded files, but some enter through malicious Web sites.
The best remedy to files entering the computer through downloaded software may be Windows AntiSpyware program. The program can return your browser to its default settings—the settings present before malicious drive-by-downloads altered them. Even better, it can help prevent “piggybacked” spyware from entering your hard drive.
Tip: The Windows Spyware program can only lessen the chance of malicious software entering your computer while browsing. It does not prevent entry through your e-mail, although it can scan your hard drive and remove the spyware after entry.
Perhaps the best way to reduce drive-by-download intrusion is with a new option offered in Internet Explorer 7. The mode is titled Protected Mode. Simply put, Protected Mode blocks access to your computer. Specifically, when Protected Mode is enabled, Internet Explorer 7 cannot modify user or system files or settings.
The Best Defense
Although the Protected Mode and Windows’ AntiSpyware programs are excellent tools in the fight to stop drive-by-downloads from infecting computers, sometimes a good offense is the best defense.
Users need to take ownership of their computers and their browsing habits to avoid damaging drive-by-download attacks. Here’s how.
Use Common Sense
Don’t seek or browse disreputable Internet sites or sites that rely heavily on pop-up ads for revenue. Common sites that fall into this category include free file sharing, bootleg game, bootleg video, and porn sites. If whatever a site is offering seems too good to be true, then it probably is.
Second, it’s a good idea to turn on your phishing filter, as shown above. Doing so might help you to spot misbehaving Internet sites. If in doubt, have Microsoft check the dubious Web site. You can do this by selecting Tools>Phishing Filter>Check This Website.
Block Pop-Ups
There is little, if any, use for pop-ups. So if you don’t need them, why look at them? Beginning with Windows XP Service Pack 2 and continuing into Internet Explorer 7, Internet Explorer offers a pop-up blocker. Because many drive-by-downloads are driven through pop-ups, I suggest that you use Internet Explorer’s pop-up blocker.
To turn on the pop-up blocker click on Tools>Pop-Up Blocker>Turn on Pop-Up Blocker. There is, however, a drawback. The pop-up blocker will also block desirable downloads or legitimate pop-up windows.
But hey, Internet Explorer doesn’t keep any secrets from you. The browser will pop a window (as shown above) notifying you of the blocked pop-up. To display the pop-up or download the file, you need only right-click on the Information Bar and choose Temporarily Allow Pop-Ups.
Tip: If the pop-up is displayed by a site that you trust, you can choose to always allow pop-ups from the site. In fact, by selecting Tools>Pop-Up Blocker>Pop-Up Blocker Settings, you may alter your pop-up blocker settings in greater detail.
Manage Your Add-ons
Another tool to help you manage, reduce the risk of, or minimize the hazard of drive-by downloads is Internet Explorer 7’s add-on manager. You can access the manager through the tools menu. Select Tools>Manage Add-Ons. This displays the Add-On Manager Window as shown below.
In this window, you may scroll through all the add-ons that Internet Explorer uses. Furthermore, you can use the drop-down menu at the top of the window, to browse the add-ons by four categories: Add-ons that have been used by Internet Explorer, Add-ons currently loaded in Internet Explorer, Add-ons that load when Internet Explorer Starts, and Downloaded Active X Controls. There are two types of add-ons that should raise a red flag: those that you don’t recognize and those that are not verified. Unrecognized add-ons that are verified by Microsoft are fine, but those that are not verified should be investigated or disabled from within the add-on manager.
Unlike the Hollywood comedy, drive-by-downloads are no laughing matter, but with the new security features incorporated in Internet Explorer 7, and common sense Internet usage, they can be dramatically reduced.
The following are Web sites with additional information on drive-by-downloads and adware.
http://www.adwarereport.com
Internet Explorer Blog
http://blogs.msdn.com/ie/
Internet Explorer Development Center
http://msdn.microsoft.com/ie/default.aspx
