Q&A Drive-by downloads: Can you get malware just from visiting a website?

plat1098

Level 24
Verified
Sep 13, 2018
1,337
Nothing, no consequences. HitmanPro.Alert blocked this completely.

The lesson was to keep all software updated, everything. I learned it the best way: not by someone preaching and yapping at me to DO this or DO that but by an actual, tangible experience. Plus, I think much of the risk is lowered nowadays by the outright removal of specific browser plugins, as I said above.

Not that I would wish this on anyone but the "best" kick in the pants to stop being complacent and stubborn is a a mere whiff of this nasty stuff. But there are exceptions and some simply can't update and can't afford newer devices. It's a tough call sometimes and you have to do you first.

By the way, it's nice of Emsi to provide this kind of info, pls don't misread my intentions. But it's also helpful to be more aware of what your actual threat model is.
 

Spawn

Administrator
Verified
Staff member
Jan 8, 2011
21,152
In cybersecurity, each slice of cheese in the Swiss cheese model represents a layer of protection. The more slices of cheese you have, the greater the chance of stopping malware before it can infect your system. Combining multiple security technologies that address vulnerabilities on both a network and end-user level is crucial for ensuring that all attack vectors are secured, and that threats can be identified and remediated if prevention is not possible.
Link: How we use the Swiss cheese model to prevent malware infections | Emsisoft | Security Blog
 

roger_m

Level 33
Verified
Content Creator
Dec 4, 2014
2,251
@struppigel It has been my experience over many years that it is exceptionally rare to get infected just by visiting a website. I'm not talking about getting infected by manually opening a file that was downloaded, but getting infected without having to open any files. The only time I've ever been infected just by visiting a website, was on a system that was running outdated versions of Java and Flash, and that happened many years ago. I spend many hours surfing the web, with an ad-blocker being the only form of web protection I use. I fairly often visit random websites, which I know nothing about, that could potentially be harmful. Despite this, I only get infected when I manually launch an infected file. Sometimes I encounter websites which want me to download some random exe files, which no doubt are harmful or can download and install some third party software. But in order for me to get infected in these instances, it would require me to actually download and execute the files. Don't get me wrong, I'm not trying to be dismissive of your professional experience, but this has been my experience over many years.

I'd be interested to see some data specially about infections that occur just by visiting websites on computers that are kept updated, rather than drive by downloads which require the user to open them to infect the system.
 

zoran popovic

Level 4
Sep 26, 2019
165













 

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,883
@struppigel is right by saying that drive-by downloads are not so rare. This also follows from the article mentioned in his post. So the answer to the OP is YES. One can get malware when visiting a website, even on updated Windows 10 with an updated web browser. But, the malware will not infect the system without user interaction, except when something is exploited. The danger follows from the fact that the attack can be easily done from a trusted website, for example via malicious Ads. So most people will follow the attacker's instructions and infect the system anyway.
 

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
403
@struppigel It has been my experience over many years that it is exceptionally rare to get infected just by visiting a website. I'm not talking about getting infected by manually opening a file that was downloaded, but getting infected without having to open any files. The only time I've ever been infected just by visiting a website, was on a system that was running outdated versions of Java and Flash, and that happened many years ago. I spend many hours surfing the web, with an ad-blocker being the only form of web protection I use. I fairly often visit random websites, which I know nothing about, that could potentially be harmful. Despite this, I only get infected when I manually launch an infected file. Sometimes I encounter websites which want me to download some random exe files, which no doubt are harmful or can download and install some third party software. But in order for me to get infected in these instances, it would require me to actually download and execute the files. Don't get me wrong, I'm not trying to be dismissive of your professional experience, but this has been my experience over many years.

I'd be interested to see some data specially about infections that occur just by visiting websites on computers that are kept updated, rather than drive by downloads which require the user to open them to infect the system.

Hi. @shmu26 and me had a misunderstanding, which we resolved via PM. One lesson for me is that we do need to get our terminology clear before discussing. So let me do this first to avoid further misunderstandings.
Drive-by download means: The download is executed on its own. The downloaded file not necessarily.
When @shmu26 referred to "drive-by downloads that ran without user intervention" he meant the downloaded file is executed without user intervention whereas for me it meant the download is executed (happens) without user intervention.

A drive-by download that also executes the downloaded file on its own is more rare, yes, because the attack surface is lower. Most have some portion of social engineering to make the latter happen.

One word of caution, though, I have no hard data on this, this is only based on what I have seen during my work. There are recent campaigns, e.g., the malware in this one from 2 months ago, which will automatically check whether the browser can be exploited to also execute the downloaded file. So depending on the vulnerabilities of the affected system, the very same malware site will either require you to click or execute the downloaded file on it's own.

Whether you call that rare depends on how you count it.
Are they actively used? Yes.
Does it affect updated systems and browsers? Hardly
Are oudated systems common? Unfortunately more than we'd like.
 

cruelsister

Level 38
Verified
Trusted
Content Creator
Apr 13, 2013
2,732
Speaking of drive-by's, looks like our old friends from the DPRK (I'll bet the Lazarus Group who were responsible for the Zinc Malware Chrome browser exploit a couple of months ago) are at it again.

Seems they are trying to start a new one with a fake security company (SecuriElite-dot-com). The website is currently devoid of any exploits and is being blocked by everyone and their cat, but expiring minds want to know if there were any initial infections prior to things being toned down.
 

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,883
The nasty thing related to drive-by downloads is that a user can download & execute only safe files and still the malicious code can be executed without user (direct) interaction. For example, this can be done when the hacked/malicious website will drop a malicious DLL into the User Downloads folder and the user will download and execute a legal file (usually digitally signed) vulnerable to DLL hijacking. This method can be still detected by standard AV modules (signatures, heuristics, behavior-based) but it will bypass most anti-exe solutions and many protections based on EXE reputation/sandbox Cloud lookup (Windows Smartscreen Application Reputation, Avast/AVG Hardened Mode and CyberCapture, etc.). Also using Virus Total and online Sandboxes to check the downloaded EXE file will not help. Some reputation-based solutions (like Norton Download Insight) can stop such attacks. Also, some other AVs can be configured to do so (Kaspersky, Comodo, etc.).
 
Last edited:

wat0114

Level 2
Apr 5, 2021
90
For example, this can be done when the hacked/malicious website will drop a malicious DLL into the User Downloads folder and the user will download and execute a legal file (usually digitally signed) vulnerable to DLL hijacking.

Hi Andy,

is there a threat you know of currently in circulation doing this, and iis there an analysis on it somewhere? I'm curious because I like to read up on these threats.
 

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,883
Hi Andy,

is there a threat you know of currently in circulation doing this, and iis there an analysis on it somewhere? I'm curious because I like to read up on these threats.
I did not hear about the widespread threats of this kind. If they are used then most probably in the targeted attacks on Enterprises, like most of such attacks. There are more popular methods based on DLL hijacking and they are still very effective, so there is no need for attackers to use something new (until they change their minds).
 
Last edited:

wat0114

Level 2
Apr 5, 2021
90
I did not hear about the widespread threats of this kind. If they are used then most probably in the targeted attacks on Enterprises, like most of such attacks. There are more popular methods based on DLL hijacking and they are still very effective, so there is no need for attackers to use something new (until they change their minds).

Thanks for the link, Andy. I guess the most important bit I took from the article was: "Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL". I suppose this would be more of an enterprise-type attack.

I think drive-bys are probably very difficult to successfully pull off on the home user if the software is kept up to date, especially browsers, plugins kept to bare necessary only, and they are running AV and smartscreen filtering. Add in a good ad blocker, especially one that will actually block 3rd-party scripts and iframes, and you're closer to bulletproof. All else such as SRP, OS hardening techniques, HIPS is all icing on the cake and maybe even overkill depending on the implementation.

In linux Debian dual-booted with Windows 10 Pro I have all network-listening services, my web browsers and email client confined with quite strict Apparmor policies. Probably overkill but it was fun to set up and just as much fun to maintain. Apparmor-confined network services.png
 

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,883
I think drive-bys are probably very difficult to successfully pull off on the home user if the software is kept up to date, especially browsers, plugins kept to bare necessary only, and they are running AV and smartscreen filtering. Add in a good ad blocker, especially one that will actually block 3rd-party scripts and iframes, and you're closer to bulletproof. All else such as SRP, OS hardening techniques, HIPS is all icing on the cake and maybe even overkill depending on the implementation.
Unfortunately, most people do not block 3rd party scripts and iframes. Many people do not use any Adblocker. Most people are also vulnerable to social engineering techniques, especially when visiting trusted websites. :confused:
So, they are still vulnerable to drive-by downloads even on updated Windows 10 with an updated web browser.
But, this vulnerability is currently used when the target can be also exploited to execute the payload. Many such attacks are prevented by web protection features of web browsers and AVs. So, in the end, successful attacks against the home users on Windows 10 (updated system/software) are very rare.
 

wat0114

Level 2
Apr 5, 2021
90
Here is a quick test.


It's just copying files to those directories. No execution of anything that I can see. If I simply execute the following instead:

Code:
%windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe

OSArmor prevents cmd.exe from executing powershell.

Edit

after some more thought, I guess the test is just illustrating that malicious files could be dropped into userspace directories if they escape detetction from AV and whatnot, and the malicious library could be loaded so that's obviously not a good thing.
 
Last edited:

porkpiehat

Level 6
May 30, 2015
277
It's just copying files to those directories. No execution of anything that I can see. If I simply execute the following instead:

Code:
%windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe

OSArmor prevents cmd.exe from executing powershell.

Edit

after some more thought, I guess the test is just illustrating that malicious files could be dropped into userspace directories if they escape detetction from AV and whatnot, and the malicious library could be loaded so that's obviously not a good thing.
BUGGER!
same here... Comodo contains the powershell exe..
 
Last edited:

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,883

@wat0114, @porkpiehat

The below test:
Code:
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit

requires Command Prompt. PowerShell is not executed at all.
Simply open Command Prompt and paste/execute the code.(y)
OSA blocks this in another way:

1617701252902.png
 
Top