Q&A Drive-by downloads: Can you get malware just from visiting a website?

mkoundo

Level 5
Verified
Jul 21, 2017
227
There are dozens of ways malware can get onto your system. In most cases, infections involve a user-initiated action, like opening a malicious attachment or executing a .exe file acquired from some sketchy corner of the Internet.

In other cases, you can get infected with malware even without opening a file or downloading anything malicious – all it takes is for you to visit a compromised website.

In this article, we’ll show you exactly how drive-by downloads work and how you can protect yourself from this threat.

 

shmu26

Level 85
Verified
Trusted
Content Creator
Jul 3, 2015
8,045
Driveby downloads are getting rarer and rarer. And even if it happens, it won't infect your system unless you run the file. So it is 99.9% of the time. This assumes you are running a modern version of windows and you receive updates. If you are running XP, then anything can happen.
 

silversurfer

Level 72
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,130
Driveby downloads are getting rarer and rarer. And even if it happens, it won't infect your system unless you run the file. So it is 99.9% of the time. This assumes you are running a modern version of windows and you receive updates. If you are running XP, then anything can happen.

Drive-by-downloads (in certain cases) are able to run automatically, it depends how the malware is "made"... it's even possible for home users running into such a scenario, the question is always how are your "browsing habits". we shouldn't claiming it will never happen to nobody ;)
 

shmu26

Level 85
Verified
Trusted
Content Creator
Jul 3, 2015
8,045
Drive-by-downloads (in certain cases) are able to run automatically, it depends how the malware is "made"... it's even possible for home users running into such a scenario, the question is always how are your "browsing habits". we shouldn't claiming it will never happen to nobody ;)
Could you share an example of that in recent years? I mean, aside from targetted zero-day attacks backed by nation states which don't affect home users.
 

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
403
Driveby downloads are getting rarer and rarer. And even if it happens, it won't infect your system unless you run the file. So it is 99.9% of the time. This assumes you are running a modern version of windows and you receive updates. If you are running XP, then anything can happen.

What makes you think it is rare? Do you have any data that supports this claim?

The reason I am asking is that this is not my experience at all. While dealing with infected systems on forums and customer's systems, drive-by-downloads are one of the major causes.

There are also not-so-old reports which indicate that this is still a major problem. E.g., this one from last year: Malvertising, Site Compromise, And A Status Report On Drive-by Downloads
And it is concluding with this remark:

It’s 2020 and we can still force downloads that are not user initiated, without any prompt from cross-origin iframes in half of the major browsers out there. Why?
 

Minimalist

Level 6
Oct 2, 2020
253
For ordinary user automatic download of malware can be problematic. I guess that they should be educated not to open files that were not intentionally downloaded.

OTOH drive-byes that exploit a weakness in software or OS are harder to fight against (apart from regular patching) but it's also probably harder to stumble upon one of these.
 

shmu26

Level 85
Verified
Trusted
Content Creator
Jul 3, 2015
8,045
What makes you think it is rare? Do you have any data that supports this claim?

The reason I am asking is that this is not my experience at all. While dealing with infected systems on forums and customer's systems, drive-by-downloads are one of the major causes.

There are also not-so-old reports which indicate that this is still a major problem. E.g., this one from last year: Malvertising, Site Compromise, And A Status Report On Drive-by Downloads
And it is concluding with this remark:
Indeed, at the time of those articles, drive-by downloads were still a problem, but the issue was addressed. They tightened up the major browsers since then, and it is harder now to perform such an exploit.

I am not aware of any recent attacks on home users via drive-by downloads that ran without user intervention. If there were any recent attacks like this, please share a link.

Yes, it is a possible problem, like @silversurfer said, but AFAIK it is not a real-life threat to home users in the here and now.
 

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
403
If there were any recent attacks like this, please share a link.

 

SecurityNightmares

Level 37
Verified
Jan 9, 2020
2,675
This show exactly that's drive by download isn't magic:
Fig4-Adrozek-attack-chain.png


Also:
Microsoft Defender Antivirus, the built-in endpoint protection solution on Windows 10, blocks this threat using behavior-based, machine learning-powered protections. For enterprises, Microsoft 365 Defender provides deep visibility into malicious behaviors.
With a secured system like SRP provide, such attacks never works.
 

shmu26

Level 85
Verified
Trusted
Content Creator
Jul 3, 2015
8,045
I see no evidence that the malware executes without the user actually running the download.
What I do see is that it disguises itself as an ordinary program that the user installed or that came along with his operating system, so he might inadvertently run the program, as illustrated in the above post by @SecurityNightmares. That is pretty nasty, but it's not the same thing as an auto-executing download.

I still claim that it is quite rare to see a case where a user visits a website, and malware is downloaded and executed without user intervention. At the end of the day, you gotta click on it, or it just won't run.
 
Last edited:

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,883
I think that both @shmu26 and @struppigel can be right. There are many people who use the unpatched system/software and vulnerable browser plugins. In such a case, the malware can escape from the web browser and infect the system without user interaction. But, there is no worry otherwise.
Of course, there is still a very rare possibility of such an attack via 0-day exploit, but the chances for that are many times lower compared to other threats.
 
Last edited:

Minimalist

Level 6
Oct 2, 2020
253
I see no evidence that the malware executes without the user actually running the download.
What I do see is that it disguises itself as an ordinary program that the user installed or that came along with his operating system, so he might inadvertently run the program, as illustrated in the above post by @SecurityNightmares. That is pretty nasty, but it's not the same thing as an auto-executing download.

I still claim that it is quite rare to see a case where a user visits a website, and malware is downloaded and executed without user intervention. At the end of the day, you gotta click on it, or it just won't run.
When I read reports and articles about drivebys they almost never mention if malware had to be manually executed or if it run by itself (exploiting something). For me that is a big difference so I always take such reports with grain of salt.
 

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
403
I see no evidence that the malware executes without the user actually running the download.

Your claim was this:

Driveby downloads are getting rarer and rarer.

This is what the article states.

drive.png


You asked for evidence, then, after I provided evidence, changed your claim, refuse to cite any sources on your own and keep spreading information that is harmful because it will lead to people being too trusting of clicking on links.
I won't discuss with you anymore at this point.
 
Last edited:

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,288
Wow! Very obvious some people in this thread both haven't actually read the main source from Emsisoft, and also clearly can't grasp the basic concept of malware and infections. Let me try help and explain for those that are interested.

Emsisoft is a very well known professional part in the CyberSecurity landscape, no matter what one might think or feel about them. Same goes with Gdata and for those of you that don't know, member @struppigel is a 100% professional genuine malware analyst that works with Gdata, so I can highly recommend listen on what he says.

The topic title in this thread lacks one very important part, Emsisofts own stated answer.
yes: you can get malware just from visiting a website.
This is neither new and absolutely nothing old. Even here on MT, reports/articles constant gets posted in many sections. Already alone in this small thread it's 3 links posted. Please try to read those as it's useless to flood this thread with more when not even 1 is enough, when it should be!

Here is another Basic ABC explanation on how Drive-By attacks works.

hs-How-a-drive-by-attack-happens.gif


Full source:
 

plat1098

Level 24
Verified
Sep 13, 2018
1,337
Meh, malware infections are still mostly crimes of opportunity.

The article teaches one a few things but can be a little uncomfortable, maybe prodding one to re-examine one's security setup. Fundamentally, it's a marketing tool. albeit an informative one. That's neither good nor bad, it just is.

I place the highest priority on updating all the resident software, as Andy Ful and SecurityNightmares said. It's that important. It's how I got a flash player exploit a few years ago--by carelessly opening a browser before updates were applied (yeah, flash player was embedded back then). Totally my fault and lesson learned. But, certainly the risk was lowered when certain plugins like flash and Java were deprecated in Windows 10 latter builds.
 

shmu26

Level 85
Verified
Trusted
Content Creator
Jul 3, 2015
8,045
Your claim was this:



This is what the article states.

View attachment 256298

You asked for evidence, then, after I provided evidence, changed your claim, refuse to cite any sources on your own and keep spreading information that is harmful because it will lead to people being too trusting of clicking on links.
I won't discuss with you anymore at this point.
Hi there, I didn't actually change my claim. You only quoted the first, and less important, part of my original claim. In my subsequent posts, I did emphasize what I considered the more important point: that malware usually doesn't execute on its own after downloading. I could have copied and pasted a few links about improvements in browser security, but I preferred to emphasize the main point.

I do agree with your assertion that people should be very careful what they click on, and I never lead people to let down their guard. However, some people are so paranoid about drive-by downloads that they can't live without Sandboxie. I think that's going too far.
 

DDE_Server

Level 22
Verified
Sep 5, 2017
1,092
Meh, malware infections are still mostly crimes of opportunity.

The article teaches one a few things but can be a little uncomfortable, maybe prodding one to re-examine one's security setup. Fundamentally, it's a marketing tool. albeit an informative one. That's neither good nor bad, it just is.

I place the highest priority on updating all the resident software, as Andy Ful and SecurityNightmares said. It's that important. It's how I got a flash player exploit a few years ago--by carelessly opening a browser before updates were applied (yeah, flash player was embedded back then). Totally my fault and lesson learned. But, certainly the risk was lowered when certain plugins like flash and Java were deprecated in Windows 10 latter builds.
I am interested to know what were the consequences of your careless action of opening the outdated browser ?? what happened and what was the lesson learned ??
 
Top