Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
We have included data on drive-by download attacks in numerous past volumes of the Microsoft Security Intelligence Report. But in the latest volume of the report, volume 15, we published some new data that we haven’t included in the report before - the relative prevalence of drive-by download sites hosted on different web server platforms.
Drive-by download attacks continue to be many attacker’s favorite type of attack. This is something I have written about several times in the past:
To summarize, a drive-by download site is a website that hosts one or more exploits that target vulnerabilities in web browsers and browser add-ons. Users with vulnerable computers can be infected with malware simply by visiting such a website, even without attempting to download anything. Drive-by download sites are hosted all over the world; Figures 1 and 2, from the Microsoft Security Intelligence Report volume 15, show the concentration of drive-by download pages in countries and regions throughout the world at the end of first and second quarters of 2013, respectively. Locations with relatively high concentrations of drive-by download URLs in both quarters include Syria, with 9.5 drive-by URLs for every 1,000 URLs tracked by Bing at the end of the second quarter of 2013; Latvia, with 6.6; and Belarus, with 5.6.
Figure 1 (top): Drive-by download pages indexed by Bing at the end of the first quarter of 2013, per 1,000 URLs in each country/region; Figure 2 (bottom): Drive-by download pages indexed by Bing at the end of the second quarter of 2013, per 1,000 URLs in each country/region
We get this data from Bing. Search engines such as Bing have taken a number of measures to help protect users from drive-by download attacks. Bing analyzes websites for exploits as it indexes them and displays warning messages when listings for drive-by download pages appear in the list of search results, as seen in Figure 3.
Figure 3: A drive-by download warning from Bing
From time to time I get asked by customers if attackers target/use specific web server platforms more than others to host drive-by download attacks. It turns out that some web server software platforms are more likely to host drive-by download sites than others because of a number of factors, such as the prevalence of exploit kits targeting specific platforms. Figure 4 shows the relative prevalence of drive-by download sites on different web server platforms.
Figure 4: Drive-by download hosts per 1,000 registered domains at the end of the first half of 2013, by web server platform, as published in the Microsoft Security Intelligence Report volume 15
The data in Figure 4 is normalized. This means for each server platform, it shows the number of registered domains hosting drive-by download sites on the platform for every 1,000 registered domains running that platform. “Registered domains” are either second-level or third-level domains, depending on the rules of the TLD (for example, microsoft.com or microsoft.co.uk). If a registered domain has any subdomains, such as www, they are all considered together.
During the first half of 2013, websites that run the open-source Apache HTTP Server displayed the highest rate of drive-by download incidence, with 6.4 registered domains hosting drive-by download sites per 1,000 registered domains running Apache web servers. The prevalence of drive-by download sites on the Apache platform might be related to the spread of the so-called “Darkleech” exploit kit, discovered in April 2013, which targets the Apache HTTP Server. “Darkleech” attacks add malicious inline frames to webpages hosted on compromised Apache web servers.
The open-source Nginx web server displayed the second highest rate of drive-by download incidence (4.8 per 1,000 registered domains), followed by Microsoft Internet Information Services (IIS) for Windows Server (3.9 per 1,000 registered domains). All other web server platforms, each of which were used by less than 1 percent of registered domains worldwide, collectively displayed a drive-by download incidence rate of 3.5 per 1,000 registered domains.
The Call to Action
This aforementioned article contains detailed advice for developers and IT Professionals on how to help manage the risk related to drive-by download attacks: What You Should Know About Drive-By Download Attacks – Part 2.
Administrators of web servers need to also take precautions to ensure that the web servers in their care are not compromised and used to host drive-by download attacks. Preventing web servers from being compromised and detecting compromise are key steps. Some of the mitigations that will help do this include:
The list above is not exhaustive, but it will get you heading in the right direction. This recent article written by the CSS Security Team also provides some useful broader context on the anatomy of an attack: Enterprise Threat Encounters: Scenarios and Recommendations – Part 1.
Tim RainsDirectorTrustworthy Computing