Dec 22, 2008

Exploits vs Drive-by Downloads

What's a "drive-by download" anyways? Recent discussions and the flurry of media articles about the recent Microsoft Internet Explorer vulnerability have given rise to some discussion. So, we at NSS Labs decided to provide this clarification of exploits vs drive-by downloads in response to some research and discussions we've had with a number of end-users and vendors. Our recent research into the Internet Explorer exploits revealed that some vendors and enterprises were not 'framing' the problem properly.

The "drive-by download" is the result of a successful exploit. It is worth noting that the exploit could have executed any arbitrary code, including returning a shell prompt, deleting or encrypting files, etc. But, more likely than not these days, the perpetrator prefers to go unnoticed so they can continue to leverage the newest memeber of their botnet in their quest for world domination. So, more frequently we see keyloggers, trojans, and other 'quiet' culprits. Come to think of it, drive-bys are usually pretty noisy with all the shooting and screeching of tires and such.

So, when vendors and end-users talk about the "download" it can unduly shift the focus towards the result and away from the cause. There are very few exploits compared to hundreds of thousands of pieces of malware. And the exploits are easier to detect - if you are looking in the right place... Network IPS and Host IPS (which can be part of an endpoint protection product) are two great solutions.

Exploits vs Drive-by Downloads.