Examination of a “Drive-by-Download” Many Security Professionals Get this Wrong – It’s a type of Social Engineering


Basic Definition:

Drive-by downloads are a type of social engineering which happens when visiting a website and you are prompted for a download without initiating it, when viewing an e-mail message with software that allows javascript to run, by clicking on a deceptive pop-up window that prompts you to install the latest version of flash and you click yes, or no and both or just yes result in a download prompt for an executable. In such cases, the “supplier” may claim that the user “consented” to the download if only delivering on the yes button being clicked, the user was unaware of having started an unwanted or malicious software download as they were deceived by social engineering.

Very Common Misconception:

When you are browsing a website a hacker has uploaded an executable or inserted an iframe with a download link to the file and when they visit the website a file is downloaded in the background without them authorizing it or even seeing it. This happens behind the scenes and executes. This is the old definition, the definition has shifted with the times, if it were that easy to get malware or adware onto a victims machine everyone and their mother would be hosting malware at an astronomical rate. Now this definition had a short time period where that was actually possible in some very early browsers or if a user changes their security settings to automatically download and run any file without question and answer any request it received, but the attacker would still have to rely on the victim willingly opening that file if those settings were not enabled. It’s not 1995 anymore, browsers are smarter, people are still gullible and incompetent though.

For a user to land on a website and have an executable download and run in the background without their knowledge would require them to be exploited. An exploit kit that has loaded exploits for 0day versions of Java or Flash for example may have injected an iframe into your favorite site and when you visit that site you will trigger the exploit kit process which must then exploit a vulnerable piece of software installed on your machine, once it successfully does that it can then request that an executable be downloaded (which will in fact happen behind the scenes) and be installed. You will at that time be hosting malware unless your AV has really good anomaly or behavioral based detection mechanisms as the signature portion will most likely fail as malware writers modify their malicious binaries daily and run them against AV to make sure they aren’t detected. Once the malware becomes known and samples are obtained your AV provider will issue out a signature to prevent future occurrence.

99% of drive-by-downloads result in the download of what is known as “adware” or “PUPs” (Possibly unwanted programs) not “malware” as most of their infrastructure is located in the United States and they seek to profit from your download without risking a lawsuit. Therefore, groups delivering drive-by-download software try to take measures to legalize their extremely shady practices. Most commonly you will see a site that will tell you your version of Java or Flash is out of date and you need to upgrade right now, they will inform you to click an install or download link which is packed with adware. They will typically have a very small disclaimer as well which if you read will explain vaguely what you are really downloading.

Let’s review a common example I see routinely of what a true drive-by-download looks like:

I visit a bittorrent site and do a search for a file, a pop-under or new tab opens in my browser simultaneously for a site hosting a drive-by-download:

drive-by-download landing page

If red flags are not going off in your head, something is wrong, check the URL, does it even make sense? Google the domain name, you’ll get your answer right off the bat of what you have landed on or what has loaded. Legitimate software companies do not market software in this manner. You should be thinking why would google be advertising with pop-under windows with a domain secureopensoftware.com – do the math, think logically before proceeding.

Next step of the drive-by-download:

drive-by-download landing page

 ty.org/wp-content/uploads/2015/07/download-page1-300×176.png 300w, http://www.computersecurity.org/wp-content/uploads/2015/07/download-page1-1024×601.png 1024w, http://www.computersecurity.org/wp-content/uploads/2015/07/download-page1-660×387.png 660w, http://www.computersecurity.org/wp-content/uploads/2015/07/download-page1.png 1533w” sizes=”(max-width: 1533px) 100vw, 1533px” />

From the first page that I landed on I clicked the X box to close the window, and clicked “no” I don’t want to update my software, but yet, here it comes anyway, if you spot the license agreement you will see that even that state that they are in know way affiliated with Google Chrome, yet they are using the copyrighted image on the download page.

Example after closing the download window, you’ll see another fraudulent statement “Manufacturer: Google” which most certainly is not.


Clicking ok on the download or the install button will result in this:


As you can see, they are ready to ship me an application to install, I edited the image slightly as there are some folders and directory mappings I would like to remain private. So, the site hosting the download really wants to make sure I run the program as soon as possible, look what happens after I download the file:

incentive to open

Like I wouldn’t know how to run a file I just downloaded, this type of drive-by-download is extremely successful when targeting young individuals who don’t know any better and older users who don’t understand how the internet works.

The other type of drive-by-download you will rarely see these days is when you land on a page and it immediately prompts you for the download, they haven’t even taken the time to craft a fake misleading website, they have simply created a link such as http://blah/blah.exe so when you hit that page a prompt will come up for download – this is less seen because legally speaking they have not afforded the user with any type of risk or acceptance to such a request and law enforcement would have a much easier time going after those hosting such files. In the above case, they have weak legal grounds to stand on because they can claim that you read the license agreement and willingly downloaded the file and installed it. DON’T BE A VICTIM – THESE GROUPS AND THESE TACTICS NEED TO STOP, YOU CAN HELP THAT FIGHT BY NOT BECOMING A STATISTIC.

Leave a Comment