Drive-by Download
Unintentional download of malware simply by visiting a compromised or malicious website.
Also known as: Drive-by Attack
Category: Concepts
Tags: security, attacks, malware, web-security, browsers
Explanation
A drive-by download is a malware delivery technique where malicious software is automatically downloaded and often executed on a user's device without their knowledge or explicit consent. The attack occurs simply by visiting an infected webpage, requiring no user interaction beyond navigation to the site.
Drive-by downloads exploit vulnerabilities in web browsers, browser plugins (historically Flash, Java, and PDF readers), or the operating system itself. Attackers inject malicious code into legitimate websites through compromised ad networks (malvertising), cross-site scripting vulnerabilities, or by hacking the site directly. When a vulnerable browser loads the page, exploit kits probe for weaknesses and deliver appropriate payloads.
The attack chain typically involves: a user visits a compromised page, hidden iframes or JavaScript redirect to an exploit kit, the kit fingerprints the browser and plugins, matching exploits are served, and malware is silently downloaded and executed. Modern exploit kits like Angler, RIG, and Magnitude have industrialized this process, offering malware-as-a-service to criminals.
Protection requires a multi-layered approach: keeping browsers and plugins updated, removing unnecessary plugins, using browsers with built-in exploit mitigations and sandboxing, deploying endpoint protection with behavior analysis, implementing web filtering to block known malicious domains, and using script blockers or browser isolation. Network-level protections like DNS filtering and intrusion prevention systems add additional defense layers.
Related Concepts
← Back to all concepts