Sabtu, 16 Juni 2018

Sponsored Links

What is a drive-by download and how to prevent it ? - The Security ...
src: www.thesecuritybuddy.com

Drive-by download means two things, each associated with undesirable computer software downloads from the Internet:

  1. Downloads authorized by a person but without understanding the consequences (e.g. downloads that install unknown or fake executable programs, ActiveX components, or Java applets).
  2. Any downloads that occur without one's knowledge, often are computer viruses, spyware, malware, or crimeware.

Drive-by downloads may occur when visiting websites, viewing email messages or by clicking on deceptive pop-up windows: by clicking on windows with the incorrect belief that, for example, reports of errors from the computer's own operating system are being recognized or seemingly ads harmless is being laid off. In such cases, the "supplier" may claim that the user "approves" the download, even if the user is not actually aware of having started unwanted or harmful software downloads. Similarly, if someone visits a site with malicious content, that person may be the victim of a drive-by download attack. That is, malicious content may exploit vulnerabilities in browsers or plugins to run malicious code without the user's knowledge.

install-by installation (or installation ) is a similar event. This refers to installation rather than download (though sometimes two terms are used interchangeably).


Video Drive-by download



Process

When creating a drive-by download, an attacker must first render their malicious content for an attack. With the expansion of exploit packets containing the vulnerabilities required to perform drive-by download attacks, the skill level required to carry out these attacks has been reduced.

The next step is to host the malicious content the attacker wants to propagate. One option is the attacker to host malicious content on their own server. However, due to difficulties in directing users to new pages, it can also be hosted on compromised official websites, or legitimate websites unknowingly distributing the attacker's content through third-party services (such as advertisements). When the content is loaded by the client, the attacker will analyze the client fingerprint to customize the code to exploit a special vulnerability for that client.

Finally, the attacker exploits the vulnerabilities needed to launch a drive-by download attack. Generally, drive-by downloads use two strategies. The first strategy is to utilize API calls for various plugins. For example, the DownloadAndInstall API of the Sina ActiveX component does not check its parameters correctly and enables the download and execution of arbitrary files from the internet. The second strategy involves writing shellcode to memory, and then exploiting a vulnerability in a web browser or plugin to redirect the program control stream to shell code. Once the shellcode has been executed, the attacker has the ability to perform further malicious activity. This could include stealing information to send back to the attacker, but generally involves downloading and installing malware.

In addition to the process described above, the attacker may also take steps to prevent detection throughout the attack. One method is to rely on the denial of malicious code. This can be done through the use of IFrames. Another method is to encrypt malicious code to prevent detection. Generally attackers encrypt malicious code into ciphertext, then include decryption method after ciphertext.

Maps Drive-by download



Detect

Detection of a drive-by download attack is an active area of ​​research. Some detection methods involve anomaly detection, which tracks the status changes on a user's computer system when a user visits a web page. This involves monitoring the user's computer system for anomalous changes when a web page is provided. Other detection methods include detecting when malicious code (shellcode) is written to memory by attacker exploit. Detection methods also include creating a run-time environment that allows JavaScript code to run and track its behavior when executed. Other detection methods include checking the contents of HTML pages to identify features that can be used to identify malicious web pages, and using web server characteristics to determine if the page is malicious. In addition, some antivirus tools use static signatures to match malicious script patterns, although this is not very effective due to obfuscation techniques. Finally, detection can also be done by using low interaction or high interaction with honey.

What is DRIVE-BY DOWNLOAD? What does DRIVE-BY DOWNLOAD mean? DRIVE ...
src: i.ytimg.com


See also

  • Malvertising
  • Piracy Page
  • BLADE
  • Mac Flashback
  • Windows Metafile Vulnerability
  • Dropper (malware)

What is a
src: securingtomorrow.mcafee.com


References

Source of the article : Wikipedia

Comments
0 Comments