609:
191:, which can easily be added into browsers such as Firefox. Using such a script-blocker, the user can disable all the scripts on a given webpage, and then selectively re-enable individual scripts on a one-by-one basis in order to determine which ones are truly necessary for webpage functionality. However, some script-blocking tools can have unintended consequences, such as breaking parts of other websites, which can be a bit of a balancing act.
171:, which tracks for state changes on a user's computer system while the user visits a webpage. This involves monitoring the user's computer system for anomalous changes when a web page is rendered. Other methods of detection include detecting when malicious code (shellcode) is written to memory by an attacker's exploit. Another detection method is to make run-time environments that allow
69:"supplier" may claim that the user "consented" to the download, although the user was in fact unaware of having started an unwanted or malicious software download. Similarly if a person is visiting a site with malicious content, the person may become victim to a drive-by download attack. That is, the malicious content may be able to exploit
104:
When creating a drive-by download, an attacker must first create their malicious content to perform the attack. With the rise in exploit packs that contain the vulnerabilities needed to carry out unauthorized drive-by download attacks, the skill level needed to perform this attack has been reduced.
68:
or clicking a link, or clicking on a deceptive pop-up window: by clicking on the window in the mistaken belief that, for example, an error report from the computer's operating system itself is being acknowledged or a seemingly innocuous advertisement pop-up is being dismissed. In such cases, the
175:
code to run and track its behavior while it runs. Other detection methods include examining contents of HTML pages to identify features that can be used to identify malicious web pages, and using characteristics of web servers to determine if a page is malicious. Some antivirus tools use static
139:
to memory, and then exploiting vulnerabilities in the web browser or plugin to divert the control flow of the program to the shell code. After the shellcode has been executed, the attacker can perform further malicious activities. This often involves downloading and installing
112:. However, because of the difficulty in directing users to a new page, it may also be hosted on a compromised legitimate website, or a legitimate website unknowingly distributing the attackers content through a
123:
Finally, the attacker exploits the necessary vulnerabilities to launch the drive-by download attack. Drive-by downloads usually use one of two strategies. The first strategy is exploiting
180:
to match patterns of malicious scripts, although these are not very effective because of obfuscation techniques. Detection is also possible by using low-interaction or high-interaction
45:. In other cases, the term may simply refer to a download which occurs without a user's knowledge. Common types of files distributed in drive-by download attacks include
135:
component did not properly check its parameters and allowed the downloading and execution of arbitrary files from the internet. The second strategy involves writing
41:. The term "drive-by download" usually refers to a download which was authorized by a user without understanding what is being downloaded, such as in the case of a
194:
A different form of prevention, known as "Cujo," is integrated into a web proxy, where it inspects web pages and blocks the delivery of malicious JavaScript code.
108:
The next step is to host the malicious content that the attacker wishes to distribute. One option is for the attacker to host the malicious content on their own
503:
385:
Egele, Manuel; Kirda, Engin; Kruegel, Christopher (1 January 2009). "Mitigating Drive-By
Download Attacks: Challenges and Open Problems".
1047:
155:. Another method is to encrypt the malicious code to prevent detection. Generally the attacker encrypts the malicious code into a
1024:
402:
1081:
1055:
389:. IFIP Advances in Information and Communication Technology. Vol. 309. Springer Berlin Heidelberg. pp. 52โ62.
496:
987:
461:
342:
124:
783:
93:
1037:
177:
223:
113:
850:
489:
147:
The attacker may also take measures to prevent detection throughout the attack. One method is to rely on the
1042:
963:
763:
167:
Detection of drive-by download attacks is an active area of research. Some methods of detection involve
1019:
977:
633:
1086:
880:
598:
218:
70:
364:
865:
743:
638:
42:
337:. AISC '13. Darlinghurst, Australia, Australia: Australian Computer Society, Inc. pp. 49โ58.
116:(e.g. an advertisement). When the content is loaded by the client, the attacker will analyze the
953:
905:
568:
148:
120:
of the client in order to tailor the code to exploit vulnerabilities specific to that client.
994:
728:
181:
1014:
926:
875:
820:
688:
661:
643:
541:
512:
608:
8:
798:
573:
531:
419:
187:
Drive-by downloads can also be prevented from occurring by using script-blockers such as
128:
78:
982:
910:
815:
467:
352:
277:
117:
109:
1030:
788:
673:
620:
578:
526:
457:
398:
338:
269:
228:
168:
22:
332:
281:
144:, but can be anything, including stealing information to send back to the attacker.
999:
939:
703:
693:
588:
471:
449:
390:
261:
213:
65:
890:
870:
768:
593:
583:
394:
96:
rather than download (though sometimes the two terms are used interchangeably).
1060:
958:
808:
758:
733:
698:
678:
558:
546:
249:
46:
1075:
970:
931:
900:
895:
748:
738:
708:
441:
331:
Le, Van Lam; Welch, Ian; Gao, Xiaoying; Komisarczuk, Peter (1 January 2013).
296:
273:
453:
1004:
860:
563:
203:
944:
778:
753:
718:
553:
265:
74:
446:
Proceedings of the 26th Annual
Computer Security Applications Conference
1009:
825:
773:
656:
536:
481:
442:"Cujo: Efficient detection and prevention of drive-by-download attacks"
172:
156:
885:
840:
835:
683:
651:
136:
54:
845:
803:
666:
208:
188:
34:
30:
440:
Rieck, Konrad; Krueger, Tammo; Dewald, Andreas (6 December 2010).
855:
830:
793:
152:
141:
132:
61:
50:
38:
713:
628:
159:, then includes the decryption method after the ciphertext.
300:
151:
of the malicious code. This can be done through the use of
387:
INetSec 2009 โ Open
Research Problems in Network Security
248:
Sood, Aditya K.; Zeadally, Sherali (1 September 2016).
131:. For example, the DownloadAndInstall API of the Sina
330:
81:
to run malicious code without the user's knowledge.
439:
384:
1073:
250:"Drive-By Download Attacks: A Comparative Study"
60:Drive-by downloads may happen when visiting a
497:
420:"What Is a Drive-by Download Malware Attack?"
247:
162:
504:
490:
448:. New York, NY, USA: ACM. pp. 31โ39.
411:
1048:Security information and event management
511:
417:
297:"Web surfers brace for pop-up downloads"
1074:
1025:Host-based intrusion detection system
485:
294:
380:
378:
376:
374:
326:
324:
322:
320:
318:
1056:Runtime application self-protection
418:Phillips, Gavin (14 January 2021).
334:Anatomy of Drive-by Download Attack
92:) is a similar event. It refers to
13:
607:
14:
1098:
988:Security-focused operating system
371:
315:
784:Insecure direct object reference
295:Olsen, Stefanie (8 April 2002).
1038:Information security management
433:
288:
241:
224:Windows Metafile vulnerability
16:Computer security exploitation
1:
234:
7:
1043:Information risk management
964:Multi-factor authentication
520:Related security categories
395:10.1007/978-3-642-05437-2_5
197:
10:
1103:
1082:Computer security exploits
1020:Intrusion detection system
978:Computer security software
634:Advanced persistent threat
99:
919:
619:
605:
599:Digital rights management
519:
744:Denial-of-service attack
639:Arbitrary code execution
163:Detection and prevention
954:Computer access control
906:Rogue security software
569:Electromagnetic warfare
454:10.1145/1920261.1920267
1000:Obfuscation (software)
729:Browser Helper Objects
613:
995:Data-centric security
876:Remote access trojans
611:
927:Application security
821:Privilege escalation
689:Cross-site scripting
542:Cybersex trafficking
513:Information security
266:10.1109/MITP.2016.85
574:Information warfare
532:Automotive security
114:third party service
983:Antivirus software
851:Social engineering
816:Polymorphic engine
769:Fraudulent dialers
674:Hardware backdoors
614:
127:calls for various
39:malicious software
29:is the unintended
1069:
1068:
1031:Anomaly detection
936:Secure by default
789:Keystroke loggers
724:Drive-by download
612:vectorial version
579:Internet security
527:Computer security
404:978-3-642-05436-5
229:Dropper (malware)
169:anomaly detection
66:e-mail attachment
27:drive-by download
23:computer security
1094:
1087:Computer viruses
940:Secure by design
871:Hardware Trojans
704:History sniffing
694:Cross-site leaks
589:Network security
506:
499:
492:
483:
482:
476:
475:
437:
431:
430:
428:
426:
415:
409:
408:
382:
369:
368:
362:
358:
356:
348:
328:
313:
312:
310:
308:
292:
286:
285:
245:
86:drive-by install
47:computer viruses
1102:
1101:
1097:
1096:
1095:
1093:
1092:
1091:
1072:
1071:
1070:
1065:
915:
615:
603:
594:Copy protection
584:Mobile security
515:
510:
480:
479:
464:
438:
434:
424:
422:
416:
412:
405:
383:
372:
360:
359:
350:
349:
345:
329:
316:
306:
304:
293:
289:
254:IT Professional
246:
242:
237:
200:
165:
102:
71:vulnerabilities
17:
12:
11:
5:
1100:
1090:
1089:
1084:
1067:
1066:
1064:
1063:
1061:Site isolation
1058:
1053:
1052:
1051:
1045:
1035:
1034:
1033:
1028:
1017:
1012:
1007:
1002:
997:
992:
991:
990:
985:
975:
974:
973:
968:
967:
966:
959:Authentication
951:
950:
949:
948:
947:
937:
934:
923:
921:
917:
916:
914:
913:
908:
903:
898:
893:
888:
883:
878:
873:
868:
863:
858:
853:
848:
843:
838:
833:
828:
823:
818:
813:
812:
811:
801:
796:
791:
786:
781:
776:
771:
766:
761:
759:Email spoofing
756:
751:
746:
741:
736:
731:
726:
721:
716:
711:
706:
701:
699:DOM clobbering
696:
691:
686:
681:
679:Code injection
676:
671:
670:
669:
664:
659:
654:
646:
641:
636:
631:
625:
623:
617:
616:
606:
604:
602:
601:
596:
591:
586:
581:
576:
571:
566:
561:
559:Cyberterrorism
556:
551:
550:
549:
547:Computer fraud
544:
534:
529:
523:
521:
517:
516:
509:
508:
501:
494:
486:
478:
477:
462:
432:
410:
403:
370:
361:|journal=
343:
314:
287:
239:
238:
236:
233:
232:
231:
226:
221:
216:
211:
206:
199:
196:
164:
161:
101:
98:
15:
9:
6:
4:
3:
2:
1099:
1088:
1085:
1083:
1080:
1079:
1077:
1062:
1059:
1057:
1054:
1049:
1046:
1044:
1041:
1040:
1039:
1036:
1032:
1029:
1026:
1023:
1022:
1021:
1018:
1016:
1013:
1011:
1008:
1006:
1003:
1001:
998:
996:
993:
989:
986:
984:
981:
980:
979:
976:
972:
971:Authorization
969:
965:
962:
961:
960:
957:
956:
955:
952:
946:
943:
942:
941:
938:
935:
933:
932:Secure coding
930:
929:
928:
925:
924:
922:
918:
912:
909:
907:
904:
902:
901:SQL injection
899:
897:
894:
892:
889:
887:
884:
882:
881:Vulnerability
879:
877:
874:
872:
869:
867:
866:Trojan horses
864:
862:
861:Software bugs
859:
857:
854:
852:
849:
847:
844:
842:
839:
837:
834:
832:
829:
827:
824:
822:
819:
817:
814:
810:
807:
806:
805:
802:
800:
797:
795:
792:
790:
787:
785:
782:
780:
777:
775:
772:
770:
767:
765:
762:
760:
757:
755:
752:
750:
749:Eavesdropping
747:
745:
742:
740:
739:Data scraping
737:
735:
732:
730:
727:
725:
722:
720:
717:
715:
712:
710:
709:Cryptojacking
707:
705:
702:
700:
697:
695:
692:
690:
687:
685:
682:
680:
677:
675:
672:
668:
665:
663:
660:
658:
655:
653:
650:
649:
647:
645:
642:
640:
637:
635:
632:
630:
627:
626:
624:
622:
618:
610:
600:
597:
595:
592:
590:
587:
585:
582:
580:
577:
575:
572:
570:
567:
565:
562:
560:
557:
555:
552:
548:
545:
543:
540:
539:
538:
535:
533:
530:
528:
525:
524:
522:
518:
514:
507:
502:
500:
495:
493:
488:
487:
484:
473:
469:
465:
463:9781450301336
459:
455:
451:
447:
443:
436:
421:
414:
406:
400:
396:
392:
388:
381:
379:
377:
375:
366:
354:
346:
344:9781921770234
340:
336:
335:
327:
325:
323:
321:
319:
302:
298:
291:
283:
279:
275:
271:
267:
263:
259:
255:
251:
244:
240:
230:
227:
225:
222:
220:
219:Mac Flashback
217:
215:
212:
210:
207:
205:
202:
201:
195:
192:
190:
185:
183:
179:
174:
170:
160:
158:
154:
150:
145:
143:
138:
134:
130:
126:
121:
119:
115:
111:
106:
97:
95:
91:
87:
82:
80:
76:
72:
67:
64:, opening an
63:
58:
56:
52:
48:
44:
40:
36:
32:
28:
24:
19:
1005:Data masking
723:
564:Cyberwarfare
445:
435:
423:. Retrieved
413:
386:
333:
305:. Retrieved
290:
260:(5): 18โ25.
257:
253:
243:
204:Malvertising
193:
186:
182:honeyclients
166:
146:
122:
107:
103:
94:installation
90:installation
89:
85:
83:
59:
43:Trojan horse
37:, typically
26:
20:
18:
945:Misuse case
779:Infostealer
754:Email fraud
719:Data breach
554:Cybergeddon
149:obfuscation
118:fingerprint
1076:Categories
1010:Encryption
886:Web shells
826:Ransomware
774:Hacktivism
537:Cybercrime
307:28 October
235:References
178:signatures
173:JavaScript
157:ciphertext
841:Shellcode
836:Scareware
684:Crimeware
644:Backdoors
425:4 January
363:ignored (
353:cite book
274:1520-9202
137:shellcode
55:crimeware
1015:Firewall
920:Defenses
846:Spamming
831:Rootkits
804:Phishing
764:Exploits
282:27808214
209:Phishing
198:See also
189:NoScript
35:software
31:download
856:Spyware
799:Payload
794:Malware
734:Viruses
714:Botnets
621:Threats
472:8512207
153:iframes
142:malware
133:ActiveX
129:plugins
100:Process
79:plugins
75:browser
73:in the
62:website
51:spyware
1050:(SIEM)
1027:(HIDS)
911:Zombie
648:Bombs
629:Adware
470:
460:
401:
341:
280:
272:
110:server
896:Worms
891:Wiper
809:Voice
657:Logic
468:S2CID
278:S2CID
214:BLADE
53:, or
662:Time
652:Fork
458:ISBN
427:2022
399:ISBN
365:help
339:ISBN
309:2010
303:News
301:CNET
270:ISSN
88:(or
25:, a
667:Zip
450:doi
391:doi
262:doi
125:API
77:or
57:.
33:of
21:In
1078::
466:.
456:.
444:.
397:.
373:^
357::
355:}}
351:{{
317:^
299:.
276:.
268:.
258:18
256:.
252:.
184:.
84:A
49:,
505:e
498:t
491:v
474:.
452::
429:.
407:.
393::
367:)
347:.
311:.
284:.
264::
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.