A driveby is where a person picks up a virus, just by visiting a website. They need do nothing more than visit the site, they don’t actually have to click on anything.

A website is made up of information pulled from one or more web servers. It could have in it advertising from an adserver (perhaps even owned and managed by a third party supplier), articles, menus and so on.  An attacker can compromise one or more servers that host components of that website, whether it be the adserver or other parts of the website.

When someone visits the infected website, their computer requests all the information forming a particular page to download to their computer, including the infection. It comes to the computer over the internet as legitimate requested information. So, it will likely get through the firewall. If the embedded malware in this page is unknown to antivirus; patches or software versions aren’t up to date; or, there is no restriction what applications are allowed to run on the machine, the malware will be silently installed.

Driveby’s, in addition to spearphishing, are increasingly popular for APT attackers. They choose websites of common interest to their targets and find vulnerabilities in their webservers, and their suppliers’ webservers, as another method for compromise.

See also waterholing.

Leave a Reply

Your email address will not be published. Required fields are marked *