Mitigating Drive-By Download Attacks: Challenges and Open Problems

  • Manuel Egele
  • Engin Kirda
  • Christopher Kruegel
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 309)


Malicious web sites perform drive-by download attacks to infect their visitors with malware. Current protection approaches rely on black- or white-listing techniques that are difficult to keep up-to-date. As todays drive-by attacks already employ encryption to evade network level detection we propose a series of techniques that can be implemented in web browsers to protect the user from such threats. In addition, we discuss challenges and open problems that these mechanisms face in order to be effective and efficient.


Drive-by download attacks browser security malware 


  1. 1.
    Flash player update available to address security vulnerabilities,
  2. 2.
    Barwinski, M., Irvine, C., Levin, T.: Empirical study of drive-by-download spyware (2006),
  3. 3.
    Superbuddy activex control vulnerability (2006),
  4. 4.
    Buffer overflow in apple quicktime 7.1.3 (2007),
  5. 5.
    Dan Goodin (The Register). SQL injection taints (2008), (Last accessed, December 2008)
  6. 6.
    Daniel, M., Honoroff, J., Miller, C.: Engineering Heap Overflow Exploits with JavaScript. In: 2nd USENIX Workshop on Offensive Technologies, WOOT 2008 (2008)Google Scholar
  7. 7.
    Egele, M., Kirda, E., Kruegel, C.: Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In: Detection of Intrusions and Malware, and Vulnerability Assessment, 6th International Conference, DIMVA 2009 (to appear, 2009)Google Scholar
  8. 8.
    Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.X.: Dynamic spyware analysis. In: USENIX Annual Technical Conference, pp. 233–246 (2007)Google Scholar
  9. 9.
    Egele, M., Szydlowski, M., Kirda, E., Kruegel, C.: Using static program analysis to aid intrusion detection. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 17–36. Springer, Heidelberg (2006)Google Scholar
  10. 10.
    Frei, S., Dübendorfer, T., Ollmann, G., May, M.: Understanding the web browser threat. Technical Report 288, ETH Zurich (June 2008)Google Scholar
  11. 11.
    Leyden, J.: Drive-by download attack compromises 500k websites (2009), (Last accessed, February 2009)
  12. 12.
    Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.A.: Behavior-based spyware detection. In: USENIX Security (2006)Google Scholar
  13. 13.
    Exploit Prevention Labs: LinkScanner,
  14. 14.
    Microsoft Office Snapshot Viewer ActiveX vulnerability (2008), (Last accessed, March 2009)
  15. 15.
    Microsoft Corporation. Microsoft Security Bulletin MS06-014 - Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (2006), (Last accessed, December 2008)
  16. 16.
    Moshchuk, A., Bragin, T., Gribble, S.D., Levy, H.M.: A crawler-based study of spyware in the web. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2006, San Diego, California, USA (2006)Google Scholar
  17. 17.
    Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31 (1999)Google Scholar
  18. 18.
    Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Emulation-based detection of non-self-contained polymorphic shellcode. In: Recent Advances in Intrusion Detection, 10th International Symposium (RAID), pp. 87–106 (2007)Google Scholar
  19. 19.
    Polychronakis, M., Provos, N.: Ghost turns zombie: Exploring the life cycle of web-based malware. In: First USENIX Workshop on Large-Scale Exploits and Emergent Threats (2008)Google Scholar
  20. 20.
    Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iframes point to us. In: USENIX Security Symposium (2008)Google Scholar
  21. 21.
    Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N.: The Ghost In The Browser Analysis of Web-based Malware. In: First Workshop on Hot Topics in Understanding Botnets, HotBots 2007 (2007)Google Scholar
  22. 22.
    Robertson, W.K., Vigna, G., Krügel, C., Kemmerer, R.A.: Using generalization and characterization techniques in the anomaly-based detection of web attacks. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2006, San Diego, California, USA (2006)Google Scholar
  23. 23.
    Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: 13th Systems Administration Conference, LISA (1999)Google Scholar
  24. 24.
    Sina dloader class activex control ’donwloadandinstall’ method arbitrary file download vulnerability,
  25. 25.
    Sotirov, A.: Heap Feng Shui in JavaScript (2008), (Last accessed, November 2008)
  26. 26.
    Wang, Y.-M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., King, S.T.: Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In: NDSS (2006)Google Scholar
  27. 27.
    Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. IEEE Security and Privacy 5(2), 32–39 (2007)CrossRefGoogle Scholar
  28. 28.
    Yin, H., Song, D.X., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: ACM Conference on Computer and Communications Security, pp. 116–127 (2007)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2009

Authors and Affiliations

  • Manuel Egele
    • 1
  • Engin Kirda
    • 2
  • Christopher Kruegel
    • 3
  1. 1.Secure Systems LabTechnical University ViennaAustria
  2. 2.Institute EurecomFrance
  3. 3.University of CaliforniaSanta BarbaraUSA

Personalised recommendations