What is a Drive-By-Download?
- Rolando Ramos
- 4 days ago
- 2 min read
Threat Type: Drive-By-Download
Threat Category: Malware-Based Threat
Cyber Threat Indicators
Drive-by-Download is a method of infecting a computer with malicious software (malware) simply by visiting a compromised or malicious website.
A drive-by download is an attack that leverages vulnerabilities in a user's web browser, operating system, or installed applications (like Flash, Java, or an outdated PDF viewer) to silently install malware.
It's called "drive-by" because the infection occurs just by "driving past" the compromised site, similar to how a person could be infected with a virus just by walking through a contaminated area.
Core Characteristics
Drive-by downloads are defined by a few key technical and user-experience characteristics:
Absence of User Consent: The most defining characteristic is the lack of any required user action to initiate the download and installation of the malware, beyond the initial page visit. The user doesn't see a file download prompt.
Exploitation of Software Vulnerabilities: The attack relies on an exploit kit to identify and take advantage of security flaws (vulnerabilities) in the user's software stack, usually in older, unpatched versions.
Hidden Execution: The malicious code is often loaded from a third-party server (not the site the user intended to visit) through hidden elements like invisible iframes or injected scripts.
Triage and Payload: The malicious code first performs a "triage" on the victim's computer to check the version numbers of installed software. Once a vulnerability is found, the exploit is delivered, which then executes the final payload (the actual malware, such as ransomware or a banking trojan).
Common Examples and Tactics
Attackers use several sophisticated tactics to execute drive-by downloads:
Tactic | Description |
Malvertising | The attacker buys ad space on legitimate, high-traffic websites (like major news sites). The ad itself contains the malicious code or redirects the user's browser to an exploit kit without the user or the website owner knowing. |
Compromised Legitimate Websites | Attackers break into a reputable, popular website and inject a small piece of malicious code (often JavaScript). When a regular user visits the site, the injected script loads the exploit kit. |
Exploit Kits (EKs) | These are automated toolsets that cybercriminals use. They host a collection of different exploits. When a potential victim's browser lands on the EK's page, the kit runs through its library of exploits until it finds one that works against the user's outdated software. |
Zero-Pixel Iframes | An attacker embeds an invisible HTML iframe (an element that loads another web page inside the current one) with a size of $0 \times 0$ pixels. This iframe silently loads the malicious website hosting the exploit kit. |
---
VIIEGO the human security agency for human security research and consulting in identity manipulation and fraud prevention to decode human behavior and secure your identity.
www.viiego.com | Protect What's Yours.