Have you been hit by a ‘Drive-by-Download’?
This is a term I’m seeing more and more frequently in security-related web posts and, frankly, I thought it was fairly new. After doing some research, however, I found an article entitled, Anatomy of a Drive-by-Download,’ that was written in 2004 (!) by Eric L. Howes. Where have I been all this time?
The term refers to the pop-ups and warning messages you might receive when visiting certain websites: clicking on any of the pop-ups can result in the installation of malware on your computer. At the time Howes wrote his article, the most commonly installed programs were spyware and/or adware. Although extremely annoying, most of these programs weren’t damaging.
Times have changed, however, and the software has become much more insidious. Most of the pop-ups you see today will claim that your computer is infected with various viruses and other malware, and advise you to download a particular anti-virus / anti-phishing / anti-xx program to ‘protect’ your machine. In reality, these programs will damage your computer and its contents.
Other types of malicious programs have been embedded in banner ads that appear on popular websites. The Drudge Report, Horoscope.com and Lyrics.com (also mentioned in the Howes article), among others, were unwittingly running banner ads that contained a trojan. Its behavior is being referred to as a ‘silent’ drive-by-download because it didn’t require any interaction from the user: just accessing the site was enough to unleash the virus. If the user’s computer had Adobe Reader and Acrobat installed, a malicious PDF was created dynamically to exploit that program. When Adobe wasn’t found, the virus instead attacked an ActiveX vulnerability in Microsoft’s video streaming software DirectShow. According to the article, the ‘end goal was to install a variant of the Win32/Alureon trojan, which was designed to download additional malware from the web, monitor browser use and manipulate search results by redirecting users to the sites of an attacker’s choosing.’
Also according to the article (dated September 24, 2009), the ads were only run during the course of the previous weekend and shut down by the following Tuesday. Attackers target the weekends because of the higher volume of consumer traffic on these sites.
This is a cautionary tale for the upcoming shopping season leading up to Christmas: surfers beware!
Some words of advice: when it comes to installing AV programs, stick to the name brands. Be sure to read all pop-up messages carefully to prevent clicking the wrong thing and causing harm. If a pop-up advertises a program or manufacturer that is unknown to you, leave it alone. And ALWAYS make sure your AV program is up to date before your fingers go walking through the Internet.
Have you been a victim of a drive-by-download? I’d like to hear how it affected you and the steps you took to clean it up.
Update from an article posted today on spamNews: Security researchers at the University of California, Santa Barbara, were able to reverse engineer the Mebroot botnet for analysis. They discovered that over 6,500 websites had been implanted with malicious code and that 340,000 users had been infected as a result. Read the article for more details: Spam News