February 10, 2012, 10:58 AM — In the first quarter of 2011, enterprise users encountered an average of 274 web-based malware attacks, a 103% increase over 2010, according to research from Cisco ScanSafe. Why the dramatic increase? One major cause is the growing number of drive-by download attacks. Drive-by downloads are an especially pernicious method cybercriminals use to install viruses and spyware, and otherwise take control of unsuspecting end users' computers.
Drive-by downloads are particularly dangerous because they're so stealthy: As their name suggests, they automatically install software on end users' computers without them knowing.
"Anytime someone else gets to decide what software, what code is running on your computer, then your computer--all the information on it and everything on the network that is connected to it--is at risk," says Daniel Peck, a research scientist with Barracuda Networks' Barracuda Labs.
Indeed, half of all businesses surveyed by Kaspersky Labs in 2011 that had been infected with some kind of malware experienced data loss from the attack.
How Drive-by Downloads Attack
Drive-by downloads work by exploiting vulnerabilities in web browsers, plug-ins or other components that work within browsers, says Peck. And they can take place a number of ways. For example, you can be innocently cruising the Web when you happen upon a site that downloads malware onto your computer. The site could have been set up by cybercriminals, specifically for the purpose of infecting people's computers, or it could be a legitimate website that cybercriminals compromised through existing vulnerabilities in the site. Dasient, a company that makes software to prevent Web-based malware attacks, notes that nearly 4 million web pages across more than 400,000 websites are infected with malware each month.
Another common way drive-by downloads are distributed is through advertising networks. In 2009, The New York Times was tricked into running an ad for bogus antivirus software that bombarded people who clicked on the ad with pop-ups prompting them to fork over their credit card information to pay for the fake program. Google's and Microsoft's online ad networks fell for a similar trick the following year. Andrew Brandt, director of threat research for Solera Networks' Research Labs, says criminals are still trying to use ad networks to distribute malware because the ad networks make it so easy for them to get their exploits out to so many people.
Occasionally a drive-by download will prompt users to take an action that allows malicious software to take over their machines. The most common example of this today is rogue anti-virus software. You'll visit a web page when suddenly a pop-up window that looks like a legitimate anti-virus program appears on your computer, indicating that it's detected a virus and asking you to click for a free virus scan.
While rogue anti-virus software and exploits like it are a real danger, they aren't the biggest threat because IT departments can educate end users to not fall into the trap. "Only some of the [drive-by download] attacks rely on people to accidentally click something," says Brandt. "The ones that are completely independent of user interaction are the most devastating."
Barracuda Labs' Peck estimates that one out of every 1,000 Web pages that people visit are malicious in some way and attempt to perform some sort of exploit on users.
"Drive by downloads can strike without warning, and only some of them are avoidable. An increasing number are not avoidable," Brandt says.
What's Causing the Surge in Drive-by Downloads?
Brandt, Peck and other security experts say drive-by downloads are occurring much more frequently. "There's certainly been a rise in their popularity lately," says Peck.
Drive-by downloads are proliferating because the exploit kits that allow cybercriminals to compromise websites are readily accessible on the black market, according to Brandt. The exploit kits are also highly refined and automated, which makes it easy for cybercriminals to distribute them across as many web servers as possible, he adds.
The growing complexity of browser environments is also contributing to the spread of drive-by downloads. As the number of plug-ins, add-ons and browser versions expands, there are more weaknesses for cybercriminals to exploit and add to their kits, says Peck.
