Date published 
  1. Drive-by Downloads. The Web Under Siege
  2. malware tracker: PDF Current Threats
  3. PDF Current Threats
  4. Drive-by download

PDF | Drive-by download refers to attacks that automatically download malwares to user's computer without his knowledge or consent. Request PDF on ResearchGate | Anatomy of drive-by download attack | Drive-by download attacks where web browsers are subverted by malicious content. Drive-by Downloads are a common technique used by attackers to silently install malware Figure 1 - Typical sequence of events in a drive-by download attack.

Language:English, Spanish, French
Genre:Science & Research
Published (Last):20.09.2016
Distribution:Free* [*Registration needed]
Uploaded by: HILTON

66644 downloads 123166 Views 32.58MB PDF Size Report

Drive By Attack Pdf

Vulnerability. Malware page. Fig. 1:Drive-by-Download Attack. (3)attack Dangerous type: pdf, swf, java, executable. • X-Powered-By. Drive-by-Download attacks, whose effectiveness is proved by the .. https://www- Drive-by download attacks where web browsers are subverted by those features in detection drive-by download attack. PDF; accessed on 20 October .

Conclusion: Avoiding Attacks Understanding the Explosion Before we explore drive-by downloads in more detail, it is useful to understand how this type of attack has exploded in recent years. It is also helpful to understand that the same malware viruses, spyware, Trojans, bots, rootkits, and fake security software can, and often is, delivered in different ways — sometimes by e-mail, sometimes by visiting a Web page, sometimes by other methods. Drive by malware delivery is of increased appeal to cybercriminals simply because it is, in general, a more stealthy form of infection that results in more successful attacks. Figure 1 shows data from ScanSafe, a company that tracks Web-based malware threats, and illustrates how the impact on businesses has shifted from e-mail to Web and IM during the decade beginning in Figure 1 — Evolving Malware Delivery Methods According to more recent data from ScanSafe, 74 percent of all malware spotted in the third quarter of came from visits to compromised Web sites.

This continues to be a major source of malicious activity online, but more recently hackers have compromised legitimate Web sites and either secretely exploit script or planted redirect code that silently launches attacks via the browser. Anatomy of a Drive-by Attack One high-profile Web site compromise in provides a glimpse at how drive-by downloads are launched against computer users.

See Figure 4.

Drive-by Downloads. The Web Under Siege

If an exploit was successful, a Trojan was silently installed that gave the attacker full access to the compromised computer. The attacker could later take advantage of the compromised computer in order to steal confidential information or to launch DoS attacks.

The Bank of India compromise combined JavaScript obfuscation, multiple iFrame redirect hops, and fast-flux techniques to avoid detection and to keep malicious servers online during the attack. Figure 5 shows a screenshot of the compromised Bank of India site with the malicious script used to launch the drive-by download attack.

In its tracking of Web-based malware threats, ScanSafe reported that by the middle of , the majority of malware was being found on legitimate sites. Approximately 31 percent of all malware threats in September were zero-day malware threats. A zero-day threat is one for which no patch exists. The risk of backdoors and password stealing Trojans increased percent in September compared to January Attackers also are known to have used poisoned third-party advertising servers to redirect Windows users to rogue servers that are hosting drive-by downloads.

malware tracker: PDF Current Threats

These malicious ads malvertisements are typically Flash-based and exploit unpatched desktop applications. Exploit Kits Malware exploit kits serve as the engine for drive-by downloads. These kits are professionally written software components that can be hosted on a server with a database backend. Identity thieves and other malware authors download exploit kits and deploy them on a malicious server. Several targeted exploit kits are fitted only with attack code for Adobe PDF vulnerabilities or known flaws in ActiveX controls.

Code to redirect traffic to that malicious server is then embedded on Web sites, and lures to those sites are spammed via e-mail or bulletin boards. Once the target operating system is fingerprinted, the exploit kit can determine which exploits to fire. In some cases, several exploits can be sent at the same time, attempting to compromise a machine via third-party application vulnerabilities.

Some of the more sophisticated exploit kits are well maintained and updated with software exploits on a monthly basis. The kits come with a well-designed user interface that stores detailed data about successful attacks.

Figure 6 shows the variety of exploits contained in a single exploit kit intercepted during a JavaScript redirect attack. This example illustrates the popularity of exploits in Microsoft software, but also helps to illustrate how other software is simultaneously exploited to potentially increase the value of the exploit kit to cybercriminals. A ransomware attack is a good example.

PDF Current Threats

Unitrends—an American company specialised in backup and business continuity solutions—recently shared with us a real cyber-attack incident happened with one of their customers to describe the required steps they took to recover functionality following a CryptoLocker attack against a US city. According to Forbes, they are the 2nd fastest growing suburb in the state of Washington.

John's team manages all technology, from phones, networks, servers, desktops, applications and cloud services. The city has only two IT staff dedicated to infrastructure. They continued to stumble along until they were hit with a CryptoLocker ransomware attack.

The Infection Here below find the complete story shared by John with us: In the final analysis, we believe the ransomware attack originated from a "drive-by" where a single city employee visited and opened a.

It could have been sitting on the hard drive for weeks looking like a.

This ransomware appeared to disable our anti-virus systems, and is known to remove all traces once finished. This virus ran only in PC memory and did not turn up on any other devices in our system. It only attacked Microsoft Office, image,.

It stopped encrypting files once the PC was restarted in safe mode. The lack of propagation could have been a result of either the virus being designed to reside solely in memory to prevent triggering alarms or because our anti-virus software intercepted it at other devices as it attempted to propagate.

The physical server that hosted the file also hosted five critical virtual application servers. After careful analysis, it was determined these were not compromised.

We immediately moved these virtual machines onto a different host. This was done prior to kicking off the server restore to reduce processor and NIC load on the file server host.

Drive-by download

When we began the file server restore process it quickly became apparent it would take a long time… four days as it turned out. A quick analysis revealed we had no other options to restore the file server.

The backup.