Drive By Web Exploits
One of the key tools in the cybercrime toolbox is the drive by web exploit. Simply put, a drive by exploit is when a website is somehow violated such that it later causes the download of software, often from a different server and typically malicious in nature, without the knowledge of the end user. This software may be later used for a variety of things. It may be a key logger, recording keystrokes to capture things like passwords and credit card data, it could be a botnet client, turning the victim PC into a zombie used for spam, DDoS or even Bitcoin Mining. Regardless, the fundamentals remain the same. Do something bad to a website and then that website causes a silent install of malware on visitor machines.
One of the more common ways to do this is to use a SQL Injection attack, which despite being one of the older and better understood forms of attack is also one of the more prevalent and dangerous. Generally speaking, many websites and web applications have an architecture with a web server front end with a database back end. Many web developers are under time and resource constraints and may have limited security exposure or knowledge. Thus certain security practices, such as strict input validation, may not be done properly. This opens up the door to the attacker doing things like sending SQL commands in the form of HTTP requests that are passed to the web server, which then passes arguments back to the database server. If you provide input of the sort that the developer expects, the site behaves normally. However, with some practice and knowledge of how these systems work, you may be able to inject SQL commands into HTTP requests, which are then passed on to the database server.
Web pages are often composed of parts that are stored in the database. If you can touch the database, you may be able to impact what is displayed. The simplest manifestation would be to vandalize the server in an obvious way, like an inner city graffiti artist tagging a wall. A more subtle attack would be to leave the site visibly intact but include some code that would cause the user machine to silently download and install malware. There are a variety of ways that this can be done, exploiting zero-day and other flaws in operating systems, browsers and browser plugins, or helper applications like Flash or PDF Reader.
Our video, the second in the SecureX Files series from Cisco Security Intelligence Operations (SIO), is about Drive By exploits.