Drive-by Download Attacks: Examining the Web Server Platforms Attackers Use Most Often

We have included data on drive-by download attacks in numerous past volumes of the Microsoft Security Intelligence Report. But in the latest volume of the report, volume 15, we published some new data that we haven’t included in the report before – the relative prevalence of drive-by download sites hosted on different web server platforms.

Drive-by download attacks continue to be many attacker’s favorite type of attack. This is something I have written about several times in the past:

 To summarize, a drive-by download site is a website that hosts one or more exploits that target vulnerabilities in web browsers and browser add-ons. Users with vulnerable computers can be infected with malware simply by visiting such a website, even without attempting to download anything. Drive-by download sites are hosted all over the world; Figures 1 and 2, from the Microsoft Security Intelligence Report volume 15, show the concentration of drive-by download pages in countries and regions throughout the world at the end of first and second quarters of 2013, respectively. Locations with relatively high concentrations of drive-by download URLs in both quarters include Syria, with 9.5 drive-by URLs for every 1,000 URLs tracked by Bing at the end of the second quarter of 2013; Latvia, with 6.6; and Belarus, with 5.6.

Figure 1 (top): Drive-by download pages indexed by Bing at the end of the first quarter of 2013, per 1,000 URLs in each country/region; Figure 2 (bottom): Drive-by download pages indexed by Bing at the end of the second quarter of 2013, per 1,000 URLs in each country/region

We get this data from Bing. Search engines such as Bing have taken a number of measures to help protect users from drive-by download attacks. Bing analyzes websites for exploits as it indexes them and displays warning messages when listings for drive-by download pages appear in the list of search results, as seen in Figure 3.

Figure 3: A drive-by download warning from Bing

From time to time I get asked by customers if attackers target/use specific web server platforms more than others to host drive-by download attacks. It turns out that some web server software platforms are more likely to host drive-by download sites than others because of a number of factors, such as the prevalence of exploit kits targeting specific platforms. Figure 4 shows the relative prevalence of drive-by download sites on different web server platforms.

Figure 4: Drive-by download hosts per 1,000 registered domains at the end of the first half of 2013, by web server platform, as published in the Microsoft Security Intelligence Report volume 15

The data in Figure 4 is normalized. This means for each server platform, it shows the number of registered domains hosting drive-by download sites on the platform for every 1,000 registered domains running that platform. “Registered domains” are either second-level or third-level domains, depending on the rules of the TLD (for example, microsoft.com or microsoft.co.uk). If a registered domain has any subdomains, such as www, they are all considered together.

During the first half of 2013, websites that run the open-source Apache HTTP Server displayed the highest rate of drive-by download incidence, with 6.4 registered domains hosting drive-by download sites per 1,000 registered domains running Apache web servers. The prevalence of drive-by download sites on the Apache platform might be related to the spread of the so-called “Darkleech” exploit kit, discovered in April 2013, which targets the Apache HTTP Server. “Darkleech” attacks add malicious inline frames to webpages hosted on compromised Apache web servers.

The open-source Nginx web server displayed the second highest rate of drive-by download incidence (4.8 per 1,000 registered domains), followed by Microsoft Internet Information Services (IIS) for Windows Server (3.9 per 1,000 registered domains). All other web server platforms, each of which were used by less than 1 percent of registered domains worldwide, collectively displayed a drive-by download incidence rate of 3.5 per 1,000 registered domains.

The Call to Action

This aforementioned article contains detailed advice for developers and IT Professionals on how to help manage the risk related to drive-by download attacks: What You Should Know About Drive-By Download Attacks – Part 2.

Administrators of web servers need to also take precautions to ensure that the web servers in their care are not compromised and used to host drive-by download attacks. Preventing web servers from being compromised and detecting compromise are key steps. Some of the mitigations that will help do this include:

  • Web servers can be compromised if they are not kept updated with the latest security updates. Keep the operating system(s), as well as all the software installed on these web servers, up to date, regardless of what platform you are using.
  • On systems where relevant, understanding and protecting them from SQL injection attacks is also important as this is a common way that servers get compromised. You can get more information on how to do this using these SDL Quick Security Reference Guides.
  • Avoid browsing the Internet from web servers or using them to open email and email attachments. This will help reduce the risk of the web server itself being exposed to a drive-by download attack, phishing, malicious attachments, etc.
  • Register your site with Bing webmaster tools at http://bing.com/webmaster, so that Bing can proactively inform you if it detects something bad on your site.

The list above is not exhaustive, but it will get you heading in the right direction. This recent article written by the CSS Security Team also provides some useful broader context on the anatomy of an attack: Enterprise Threat Encounters: Scenarios and Recommendations – Part 1.

Tim Rains
Director
Trustworthy Computing

 

 










About the Author
Tim Rains

Director, Cybersecurity & Cloud Strategy

Tim Rains has over 20 years of experience in the technology industry across several disciplines including engineering, consulting, and marketing communications roles. He currently manages security marketing and corporate communications in the Trustworthy Computing division at Microsoft. His expertise ranges Read more »