Drive-By Download Attacks Were the Biggest Online Threat Last Month

Exploits and other malicious scripts associated with drive-by download attacks dominated the threat landscape last month and accounted for most entries in Kaspersky Lab’s top 20 malware applications.

Drive-by download attacks have multiple components. They usually start with cyber criminals exploiting a Web vulnerability to compromise a legitimate website.

Then they inject a rogue iframe or script element into its pages, which calls a redirect script from an external domain.

This script redirects requests to a script downloader, which checks if vulnerable software is installed on the computer and serves the appropriate exploit.

Exploitation happens transparently to the user and results in malicious executables file being downloaded and opened on the target system.

“The Top 20 malicious programs detected on the Internet in November included a total of nine exploits, three redirects and one script downloader that were used for carrying out drive-by downloads,” notes Vyacheslav Zakorzhevsky, a researcher at Kaspersky Lab.

The script downloader, detected as Trojan-Downloader.JS.Agent.frs, installs Backdoor.Win32.Shiz and Backdoor.Win32.Blakken through Java and PDF exploits.

Java downloaders are another type of drive-by download malware whose numbers have spiked during the last two months.

Unlike script downloaders, they don’t use exploits to deliver the final payload, but rely on the Java OpenConnection method instead.

Trojan-Downloader.Java.OpenConnection.bu was actually the most prominent malware threat in November, according to Kaspersky’s statistics.

It was followed by the previously mentioned Trojan-Downloader.JS.Agent.frs and Exploit.Java.CVE-2010-0886.a.

As also reported by other vendors, Java-based exploits are very successful at infecting users. They have mostly replaced PDF-based exploits which have registered a constant decline for many months now.

As far as local malware goes, Conficker maintained its dominant position, while  file infecting viruses like Virut and Sality have appeared with multiple variants in the top ten.