Internet privacy and security course
About translation
Previous Next

Chapter 119

Attack drive-by download, or secret download.

New tools to protect the user appear in browsers every year. Popular browsers today are able to track and prevent MITM attacks when someone tries to get between the user and the site and intercept traffic, they can detect phishing sites and, of course, have built-in sandboxes, protecting the system from web site attacks.

But one method today works just as efficiently as 10 years ago, which is downloading the bait file to the user and wait for them to open it.

Drive-by download is an attack in which downloading is done in secret when the victim opens the website. However, such a site will be noticed rather quickly, especially if it starts downloading malicious files to users massively. That is why malefactors often use a variation of this attack, called drive-by login. This is all the same secret download, but occurring after authorization on the site. This scheme allows malefactors to be hidden for a long time from being detected by security experts and falling into the lists of malicious sites.

But in fact, this is more a theoretical threat, as today it is not so easy to download a file secretly, but it’s simple to do it without the user's consent. This is used by intruders.

Everyone knows that a computer can be infected with malware disguised as pdf or word files. In this way ordinary users, companies, politicians, public figures are infected, but for this you need at least one condition, meaning that the file must be open on the victim's device. Making the victim open the file is one of the key tasks of the malefactors.

By the way, it doesn’t have to be malware disguised as a document; it could be the document itself if the office suite contains a vulnerability. To do this, malefactors must have zero-day vulnerabilities in the range, or the victim's software must not be updated and contain known vulnerabilities.

At the time of writing this article, information appeared about a critical vulnerability in a popular office suite. And this is not even MS Office, where the vulnerabilities are regular, but LibreOffice, which is an open source office suite. I, like many others, recommend it as an alternative to Microsoft Office, but in this case a critical vulnerability was discovered in it, which led to compromising the victim’s device by simply opening the document.

Users are often afraid that the sites will upload files to them and these files will be launched by themselves. I assure you that today it’s more a theoretical threat, exploitation of vulnerabilities in the browser and going beyond the sandbox are much more real, but this is another type of attack, for which the attacker must have a complex of 0day vulnerabilities for the browser and the operating system, or the victim’s browser and operating system are not updated and not protected from known vulnerabilities.

But simply downloading the file is easy, and for this there are a lot of ways. Sometimes the file is downloaded to the device along with another file that the user really wants to download, sometimes social engineering is used, sometimes automatic download scripts, sometimes banners, sometimes iframe.

Iframe is a tool that allows you to embed an element of another page or another website on a website page, for example, with the help of iframe we can embed YouTube videos on pages of other websites.

But downloading a file is only half of the task; it is necessary that the victim launch it on their device, perhaps even give out administrator rights. And this is where social engineering is connected. The malefactors try to give the file a name so that the victim becomes interested in it when they accidentally find it in the downloads.

  Most readers of the course probably know that downloaded files should be checked on VirusTotal, opened in a virtual environment, online or in installed sandbox. But, as a rule, this requirement is for the files just downloaded, and to files that have been stored on the device for some time, most users have an unreliable trust.

Often, the download folder is cleaned only when the disk begins to run out of space, or when you reinstall the system or change the computer. Naturally, in this case, the user does not know and does not remember when and what files they downloaded, how reliable they were and whether they were checked for malware.

From this chapter you must make two rules that may seem banal to you, but it is where the complex security is built on.

The first rule is to make order in the Downloads folder. If you have there files that are randomly stored for months, reorder it, removing all unnecessary files. You must clearly know what files and why are stored in your Downloads folder.

 

Tip

Order the Downloads folder.

The second good habit is not to trust files from the download folder more than just downloaded from the network. You should open them only in a safe environment or virtual operating system, and if the file is not a secret document and you are not afraid to share it, be sure to check it on the VirusTotal website.

 

Tip

Do not trust the files in the Downloads folder.

Previous
3907
Next