Article Preview
TopIntroduction
Everyday Internet users are a target by a large number of attackers who are constantly searching for vulnerabilities to perform various attacks with different motivations and intentions (Harley & Bureau, 2008). Narvaez, Endicott-Popovsky, Seifert, Aval and Frincke (2010) considered drive-by download attacks as one of the most important types of these attacks in which the attacker uses legitimate and illegitimate websites to spread malicious code. A file is downloaded to the user machine without trigger by exploiting a web browser vulnerability. The file usually contains a malicious code that runs on the target computer. This malware could be used to steal confidential data, create a backdoor or serve any imaginable malicious intent. Leit and Cova (2011) believe that drive-by downloads are involved in the spread of most of the recent malware infections.
Figure 1. Drive-by downloads attack flow
Matsunaka, Urakawa, and Kubota (2013) found that the user is simply subjected to this attack by clicking a link in a phishing email, malicious hyperlink, or unwanted popup window. Figure 1 shows one possible scenario to launch a drive-by download attack. First, a malicious website is setup, called the landing or mothership website. This website could be mimicking a legitimate website or actual legitimate website where malicious code is injected. Once the websites are injected with the attack code, they act the first point in a chain of redirections to multiple intermediate websites. The point of the redirections is to hide the actual exploit servers and mislead investigators. The users are finally redirected to the exploit website, which includes a more elaborate malicious code charged with searching for vulnerabilities and flaws based on the version of the user’s web browser and operating system. Once vulnerability is located it will be exploited by the malware distribution website to download and install the desired malware directly to user’s device without his knowledge. All drive-by attacks need not to follow the exact same flow but the main idea remains valid.
The ultimate goal of drive-by download attack is to take control of the client’s system through exploiting the vulnerabilities of web browsers or its extensions forcing it to perform undesirable operations. Takata, Akiyama, Yagi, Hariu, and Goto (2015) found that attacks could result in data or financial loss because the attacker control over the victim’s computer. Most drive-by download attacks are carried out by following four main steps. Redirection is considered the first step in which the user is taken through a chain of redirection processes to deliver him to malware distribution site. Attackers use obfuscation as the second step to hide the malicious scripts under several layers of obscurity. The third step is environment preparation in which the attacker seeks getting the permissions to control the memory in order to inject the malicious code in the browser’s memory and jumps to execute the injected code. Exploitation is the last step to perform the attack and compromise the vulnerabilities in browser plugins. The compromised client then responds to remote commands from a Command and Control (C&C) run by some bot herder (Cova, Kruegel & Vigna, 2010).
Monitoring traffic and system activities provide a convenient way to identify attacks. Intrusion detection systems (IDS) are used for this purpose. Aldwairi (2006) used Hardware-based IDS to provide efficient and fast detection systems, however they are expensive, complex and are not easy to reconfigure. Aldwairi, and Alansari (2011) used software-based IDS with execlusion mechanisim to skip benign packsts. Despite the considerable speedup, it was not as fast as the hardware-based solutions. Researchers considered both the anomaly and the signature-based IDSs. Anomaly-based IDS systems provide a strong protection as they are able to identify new and previously unknown attacks. Aldwairi, Khamayseh, and Al‐Masri (2015) found anomaly-based IDSs suffer from high false positives and negatives. Signature-based IDS systems provide higher accuracy in identifying attacks, however they are limited to the predefined patterns and they cannot identify zero-day attacks that are previously unknown.