DRIVE BY DOWNLOA New Hesitant Fuzzy

Linguistic ORESTE Method

for Hybrid Multicriteria Decision Making

AD ATTACK
Computer and Web Security Project

Submitted by:

Mani Shrivastava F5 (9917103137)

Saavy Bansal F2 (9917103023)

Satyam Pandey F2 (9917103052)

Chaitanya Goel F5(9917103146)

Under the supervision of

Dr. Himanshu Agrawal

1
 November 2020

DEPARTMENT OF COMPUTER SCIENCE ENGINEERING

JAYPEE INSTITUTE OF INFORMATION TECHNOLOGY, NOIDA

TABLE OF CONTENT

Topics Page No.

DECLARATION 3

MOTIVATION 4

WHAT IS A DRIVE-BY DOWNLOAD AND HOW DO THEY WORK? 5

SECURITY HOLES(VULNERABILITIES) 6

HOW A DRIVE-BY ATTACK WORKS(THREATS) 7

WHY DO ATTACKERS USE DRIVE-BY DOWNLOADS? 8

EXAMPLE OF DRIVE-BY DOWNLOAD ATTACKS 9

WHAT'S CAUSING THE SURGE IN DRIVE-BY DOWNLOADS? 10

2
PROTECTION AND PREVENTION FROM DRIVE-BY DOWNLOADS 11

SUMMARY 12

REFERENCES 13

DECLARATION

I/We hereby declare that this submission is my/our own work and that, to the best of my
knowledge and belief, it contains no material previously published or written by another
person nor material which has been accepted for the award of any other degree or
diploma of the university or other institute of higher learning, except where due
acknowledgment has been made in the text.

Signature:

3
Date:03-12-20 Mani Shrivastava (9917103137)

Saavy Bansal (9917103023)

Satyam Pandey (9917103052)

Chaitanya Goel (9917103146)

Motivation:
Cybercrime causes massive problems for society – personally, financially and in matters of
national security.What makes cybercrime different from other types of crime is, it happens on a
large scale , with speed and in the background. By the time we realise, if we ever do, it’s already
too late. Something which starts as a hobby or small attacks may grow to become significant
threats.

Because of the internet, cybercriminals have no limits, no boundaries, and no rules to obey. They
can be anyone – from a lone teenager to a more organised crime group or a modern organisation,
some of them even operating 24/7.A drive-by download abuses insecure, vulnerable, or outdated
apps, browsers, or even operating systems.

Drive-by downloads are a common method of spreading malware. Cybercriminals look for
insecure web sites and plant a malicious script into HTTP or PHP code on one of the pages. This
script may install malware directly onto the computer of someone who visits the site, or it may
take the form on an IFRAME that redirects the victim to a site controlled by the cybercriminals.
In many cases the script is obfuscated, to make it more difficult for security researchers to
analyse the code. Such attacks are called ‘drive-by downloads’ because they require no action on
the part of the victim — beyond simply visiting the compromised web site: they are infected

4
automatically (and silently) if their computer is vulnerable in some way (e.g. if they have failed
to apply a security update to one of their applications).

What is a Drive-By download and How Do They Work?

When a computer becomes infected with malicious software simply by visiting a website, it’s
known as a drive-by download. The industry calls this type of attack a “drive-by” download
because the user doesn’t have to stop or click anywhere on the malicious page. Simply viewing
the page is enough to cause the infection, which happens in the background and without the
user’s knowledge or consent.

In a drive-by download attack, criminals compromise a website, often a legitimate one, by

embedding or injecting malicious objects inside the web pages.Botnet toolkits—attackers may
directly install a botnet application that performs actions like sending spam email or participating
in DDoS The infections are invisible to the user, and range from malicious JavaScript code to
iFrames, links, redirects, malvertisements, cross-site scripting, and other malicious elements.

When a user visits an infected web page, the user’s browser automatically loads the malicious
code, which immediately scans the victim’s computer for security vulnerabilities in the operating
system and other applications.

5
Security Holes/ Vulnerabilities

The sad reality is that virtually all applications have security holes. Although reputable software
vendors provide updates to correct known vulnerabilities, the fixes don’t always get installed.
Google found that just 38 percent of users automatically or immediately update their software
when a new version is available. To make matters worse, cybercriminals are good at discovering
security flaws before the vendor does, so there’s not always a fix available. That means there’s
always a risk of a hacker finding and exploiting a weakness, even for those that immediately
apply operating system or application fixes.

The list is endless, but here are a few prominent systems and applications that are commonly
exploited by drive-by download attacks:

● Old Operating Systems (Windows XP in particular)

● Browsers (FireFox, Chrome, Opera, and others, especially out of date versions)
● Out of date browser plug-ins

6
 ● Early versions of Microsoft Office
● Adobe/Shockwave Flash (ActiveX)
● Adobe Reader
● Foxit Reader
● WinZip
● 7-Zip
● Microsoft Silverlight
● Oracle Java

Not even security applications are immune to flaws. CSO Online reported that numerous
security products have serious vulnerabilities. The lesson here is that it’s extremely difficult, if
not impossible, to develop vulnerability-free software, and hackers capitalize on that fact.

How a Drive-By Attack Works/ Threats

When the drive-by malware detects a vulnerability, it exploits it and infiltrates the system. The
malicious code will attack the system in various ways. Here are some of the more common
methods that cybercriminals will use to attack a system:

● Installing keyloggers to capture and record the victim’s keystrokes.

● Using ransomware to encrypt data on the device and demand payment for
recovery.
● Deploying botnets that secretly transmit spam or malware to other computers and
networks.
● Installing droppers, or malware that’s designed to load more malware without
detection.
● Searching the victim’s data, applications, and configuration files for IDs,
passwords, account information, and other sensitive information. The malware

7
 can often find login credentials and other sensitive information stored in
configuration files for browsers or other applications.
● Installing man-in-the browser malware to capture, modify, or insert data into web
forms, thus conducting unauthorized transactions without the victim’s knowledge.
● Sending sensitive data files, photos, or other documents back to the hacker.
● Creating a backdoor that enables the attacker to install additional malware, add or
modify user accounts, and increase privilege levels.

Why do attackers use drive-by downloads?

Drive-by downloads are effective because they can slip on to computers unnoticed,
giving adversaries a foothold for further attacks.The ultimate goals of the attacker may
include:

● Spying and gathering data for further attacks

● Acquiring data that can be sold on darknet marketplaces
● Penetrating further into systems, networks or accounts
● Various types of financial fraud and identity theft
● Recruiting the device as part of a botnet
● Ransomware
● Adware

8
Example of Drive-by Download Attacks:

Campaigns that involved drive-by downloads in some stage of their attack strategies:

● LURK:

The Lurk cybercriminal group were one of the most prominent early
adopters of drive-by downloads. Alongside other techniques, the group
went on a spree that ultimately ended up netting them $45 million in
stolen funds. However, the group’s activities were brought to a halt in
2015 when fifty of its members were arrested by Russian authorities.It
involved injecting malicious iFrame content into popular Russian
websites. This allowed the group to exploit web browser vulnerabilities
through drive-by downloads. Site visitors would be redirected to malicious
websites and fingerprinted to determine if they were appropriate targets.

● 2016 CAMPAIGN:
In 2016, one of the largest drive-by download campaigns of recent times
struck a range of high-profile publishers. Among the affected websites
were MSN, the New York Times, the BBC, Comcast’s Xfinity and the
NFL.Each of these sites were using seemingly legitimate ad networks that
were compromised by the attacker. The prominence of these and other
sites allowed the hacker to push malicious ads to a large number of
innocent site visitors. These ads then redirected them through two
malvertising servers.

● GREENFLASH SUNDOWN:

In June 2019, researchers from MalwareBytes began to notice a spike in

drive-by download attacks that were traced back to the ShadowGate
group. ShadowGate is a renowned team of hackers known for focusing
South Korean targets.The attacks relied on the GreenFlash Sundown
exploit kit and were spread through through self-hosted ad servers running
Revive Adserver. The attack follows up with a PowerShell script that
probes for information about the potential target’s device, including its
operating system, hard disk, video card, any antivirus software and user
names.

9
What's Causing the Surge in Drive-by Downloads?

Drive-by downloads are proliferating because the exploit kits that allow cybercriminals to
compromise websites are readily accessible on the black market. The growing complexity of
browser environments is also contributing to the spread of drive-by downloads. As the number of
plug-ins, add-ons and browser versions expands, there are more weaknesses for cybercriminals
to exploit and add to their kits. Now, with HTML5, the boundaries around the browser are
lessening, so there are more expectations of such acts to occur in future.
Drive-by downloads have become a more prominent threat in the past few years for two major
reasons. One is the rise of pre-packaged exploit kits that allow hackers to launch sophisticated
attacks, even if they don’t have much of their own technical skill.
India ranked second, behind Singapore, in terms of ' drive- by download' attack volume in the
Asia-Pacific region in 2019, according to a report by Microsoft.While the volume of such attacks
in the Asia-Pacific region declined 27 per cent from 2018, India moved from the 11th position to
the second spot (with 140 percent increase), the report titled 'Microsoft Security Endpoint Report
2019' said.Drive-by downloads can also install spyware, remote-access software, key-logging
software and Trojans capable of extracting information from computers in seconds. They can
turn computers into botnets or make them part of a distributed denial-of-service attacks (DDoS).

The drive-by download attack volume in Asia Pacific has converged with the rest of the world at
0.08, following a 27 percent decline from 2018.However, despite the general decline in drive-by

10
download attacks across the region, the study found that Singapore experienced the highest
attack volume of 0.31 in 2019 – an increase of 138.5 percent from 2018 (0.13). This was also 3.9
times higher than the 2019 global and regional average.A similar trend was observed in Hong
Kong and India, with both countries also recording an attack volume that was 3 times higher than
the regional and global average.

Comparison of drive-by download attacks across developed and developing markets in the region.

Protection and prevention from Drive-By Downloads

Drive-By downloads are a major concern, but there are several steps end-users can take to
protect themselves from these types of attacks:

● Update your software quickly and constantly. When a software maker releases an
update, cybercriminals will rush to reverse engineer it and target Internet users

11
 who have not applied the update. Configure your operating system, browsers, and
all applications that offer it, to update automatically.
● Remove unnecessary software and plug-ins. Computers tend to fill up with
unnecessary applications and browser plug-ins that are neither useful nor
maintained by the developers. By removing them you significantly reduce your
chances of a data breach.
● Stop using a privileged account for day-to-day work. Whenever you browse the
Internet using a privileged account, drive-by (and other malicious software) can
install itself without your explicit permission. Keep two separate accounts on your
computer. Use a non-privileged account for common day-to-day work and all
online activities. Use a different administrator account for installing software, and
only for that purpose. Using the web without administrative rights greatly reduces
both the risk of a successful drive-by download and the potential damage should
one succeed.
● Use a firewall. Although a firewall won’t necessarily stop sophisticated malware,
a firewall can be effective in detecting and blocking known threats.
● Disable Java and JavaScript. Where possible, disable Java and JavaScript. Put
trusted sites that require it on a whitelist.
● Use web-filtering software. Turn on security features that monitor the websites
you are connecting to. Configure these security controls to warn you when
attempting to access sites that might contain malicious drive-by download and
other attacks.
● Install an ad blocker. Drive-by download attacks frequently use ads as infection
vectors. Installing an ad blocker will help reduce exposure to these types of attack.

Summary

12
Drive-by downloads are especially pernicious. Their proliferation is mainly due to the increased
availability of affordable exploit kits that allow cybercriminals to easily compromise websites.
Such exploit kits are highly refined and automated, which makes it easy for cybercriminals to
distribute them across as many web servers as possible.

The growing complexity of internet browsers also contributes to the increase in drive-by
download attacks. As the number of plug-ins, add-ons and browser versions proliferate, there are
more weaknesses for cybercriminals to exploit.

However, despite the dangers, there are several relatively simple steps that end-users can take to
protect themselves from drive-by downloads. Likewise, organizations can deploy advanced
malware protection solutions that are quite effective at detecting and blocking drive-by
downloads.

References

1. https://news.microsoft.com/en-sg/2020/06/17/singapore-experienced-the-highest-
drive-by-download-attack-volume-in-asia-pacific-microsoft-security-endpoint-
threat-report-2019/
2. https://en.wikipedia.org/wiki/Drive-by_download
3. https://www.researchgate.net/publication/262217216_Anatomy_of_drive-
by_download_attack
4. https://economictimes.indiatimes.com/tech/internet/india-sees-2nd-highest-drive-
by-download-attack-volume-in-apac-in-2019-microsoft/articleshow/
77239906.cms?from=mdr
5. https://www.comparitech.com/blog/information-security/drive-by-download/

13