What is a Drive-By Download?

Any company with a digital presence faces a wide variety of cyber threats. However, they do not all look the same, nor do they infiltrate your environment in the same way... making some of them more dangerous than others. One growing cyber threat that is more menacing than most is drive-by downloads.

What makes a drive-by attack different from any other breach? 

Drive-by downloads represent a different distribution technique, attack intensity, and level of sophistication that we’re seeing from these threat actors.  These attacks can be more dangerous because often your organization doesn’t even realize the drive-by download has infiltrated your environment. 

So... how does a drive-by download typically work?

Drive-by download steps:

  1. A site with weaknesses in its attack surface is compromised by an attacker.
  2. The attacker exploits a client-side vulnerability
  3. The attacker then delivers a shellcode & sends a downloadable malware
  4. The malware infects the device and takes over control

The Possible Outcomes of a Drive-by Download Attack

When protecting yourself against drive-by downloads, it’s important to be aware of how devices are accessed and managed. Whether an employee accidentally downloads malware through a contaminated email or someone simply visits the wrong website, the consequences of a drive-by download could be detrimental to your business:

  • The download could survey and collect your company information - Downloaded malware can live within company devices for long periods of time undetected. During this time, they are able to collect any data within the device and store the information remotely.
  • The attack could take over your network - Some downloads may be immediately noticed as they take complete control of your device. Not only does this lock you out of your system, but it also ruins the devices on your network and requires those devices to be replaced.
  • Your device could become a part of a botnet - Botnets represent a significant portion of many drive-by downloads seen today. Botnet malware typically looks for devices with vulnerable endpoints across the internet, rather than targeting specific individuals, companies, or industries. As more devices are brought into a botnet scheme through drive-by infiltration, the more powerful the threat becomes and the further it is able to penetrate into your network or others. 

These threats are nothing new. That said, CEOs and other board members are often unaware of what they are and the destruction they can cause. 

For example, in 2018, a famous botnet operation known as 3ve was able to seize multiple Swiss bank accounts, more than 30 web domains, and information from over 80 servers. 3ve had been operating within each of these networks for months without any punishment as their victims had no knowledge that they were infected until investigation.

The lesson? Just because your network is not experiencing any issues or strange activity at the moment, does not mean that it is not already infiltrated.


Botnets: The Most Common Outcome of Drive-By Downloads Today 


When a user visits any given site, they face a host of potential traps:

When we are looking at web application vulnerabilities- especially those that involve injection - we are looking at the implementation practices of these drive-by downloads and botnet attacks. These application vulnerabilities open the door for the threat actors to plant malware on certain sites and create new points of infection.

Because a particular web application vulnerability may exist in a third-party package (i.e. a WordPress plugin) that is utilized by several websites, Botnet operators can use these tactics to infect a single site or thousands of sites.

Common contaminated attack vectors:
  • Malvertising
  • Infected widgets
  • Website Images
  • Downloadable Documents
  • Email Spam

These are all ways that the threat actor can work to deliver malware to an unsuspecting victim. Should a botnet choose to turn your device into a “zombie computer,” then your system is no longer under your control. It is now run by a “bot herder” that is able to utilize the device’s network and direct the spread of malware to other networks and devices.

RaaS Gangs and Botnet Operators: A Dangerous Combination

RaaS gangs and Botnet operators understand the benefits of working with one another and often partner up to hold organizations’ IT environments hostage. RaaS attacks like Netwalker partnered with botnet operators to spread the malware faster and wider. 

When the botnets and RaaS gangs work together, they often leverage the following TTPs (tactics, techniques, and procedures):

  • Distributed denial of service (DDoS) attacks - DDoS attacks consist of massive botnets overloading an organization’s systems, making them inoperable until a ransom is paid or a company fails to meet the hacker’s request. This jam in the system freezes any usage until the attack is over. 
  • Asset-targeted assaults -These are premeditated attacks that have a set goal (financial gain, customer data, or private internal data) when attacking a system.
Related Reading: Crimeware-as-a-Service Explained


So how do you prevent drive-by downloads, botnets, and RaaS gangs from seizing control?

It takes more than advanced processes and tools to prevent malware from entering your network. It requires having a clear vision of where your network’s vulnerabilities are and the proper measures your team must take to combat them.


What is a Botnet infographic


To prevent Botnets from entering your system:


Protect Yourself - Invest in a Pen Test

Allowing a professional team to go in and discover your organization’s vulnerabilities could save you from someone else finding them first. This is your first step in understanding your attack surface and figuring out what you will need to better protect your enterprise. 

Penetration testing is important for the non-technological aspects of your security as well - your employees. By testing your workers and making them aware that they are a vulnerability, your business is better equipped to prevent an attack from occurring. It is easier for a business to avoid malware when they understand the ‘how’ and ‘why’ behind it.

A successful penetration analysis can show you: 

  • Specific vulnerabilities that are likely to be exploited
  • Data that can be accessed
  • The amount of time the pen tester was able to remain in the system undetected
Check out how pen testing can optimize your IR plan +

Protect Yourself - Contain Any Threat with Zero Trust Network Architecture

A zero-trust network architecture can dramatically decrease an organization’s exposure to cybersecurity risks, making it an increasingly popular strategy for companies looking to mitigate the risk of a breach. The idea behind a zero-trust network is to restrict access to give people within your network what they need to do their job and nothing more. This approach has been rising in popularity because people are commonly used as access points for malware and therefore must be inspected throughout their time with the company. 

appgate ZTNA graphic

Maintaining a ZTNA requires companies to continuously evaluate access levels for each person at the company throughout their employment journey:

  • Onboarding: Users are granted initial entry to the system and assigned the roles that define their access. An onboarding process should be the time in which employees are given insight into the potential cyber threats that face your organization and the role they play in combatting them.
  • Position Changes: As employees move throughout your organization, make sure to fully shift their access from one role to another. Do not allow access points to remain open and unmonitored once an employee no longer needs entry to certain systems. The less access that each team member has, the less damage that a breach is able to cause. 
  • Upon Termination of Employment: When an employee leaves the organization, processes must be in place to eliminate their access to the organization’s resources. This will close any possible channels of attack that your employee may have been granted throughout their time in the company.

As a business, you have a responsibility to your customers and partners to ensure your sites are uncompromised. You don’t want the possible reputational damage that comes with being a business that spreads malware to its user base. Your site might not be damaged, but you could unknowingly become part of a global malware distribution site, dropping malicious code on your customer’s computers, and providing fodder for RaaS gangs to exploit. 

Cybersecurity becomes more necessary with each advancement in technology. As we progress, so do those who wish to breach our networks. Stay one step ahead by working with the right security partner and implementing up-to-date tools and processes.






Creating a Business-First Incident Response Plan

Get Access

Chat With One of Our Experts

vulnerability management RaaS gangs Botnet Drive-By Downloads Blog