URL Infection (Silent Java Drive By)
URL Infection Exploit Silent Java Drive by downloads may happen when visiting a site, opening an e-mail message. It may even happen by clicking on a malicious pop-up window: by clicking on the window in the belief that it concerns an error report from the computer’s OS, for example.
In such cases, the user may seem like he has “agreed” to the download. But in fact, the user was unaware of having started a malicious software download. In the same way, if a person is visiting a site with malicious content, the person may become victim to a drive-by download attack.
Thus, this content may be able to run malicious code without the user’s knowledge, by using weak spots in the browser or its plugins.
A drive-by install is a similar event. When creating a drive-by download, an attacker must first setup their malicious content to perform the attack.
The next step is to host the malicious content that the attacker wishes to “share”.
One option is for the attacker to host the malicious content on their own server. However, it’s rather difficult directing users to a new page, so an exposed legal website may also host it. Or even a legal website could be distributing the attackers’ content through a third party service without knowing it.
When the client loads the content, the attacker will analyze the trace of the client in order to craft the code to URL Infection Exploit weak spots especially to that client.
Finally, the attacker exploits the needful weak spots to launch the drive-by download attack.
In general, drive-by downloads use two strategies. The first strategy is exploiting API calls for plugins.
The second strategy is writing shell code to memory, and then exploiting weak spots in the web browser or plugin to change the control flow of the program to the shell code. After the shell code has been executed, the attacker has the ability to perform more malicious activities. This could be stealing info to send back to the attacker, but mostly includes downloading and installing malware.
In addition to the process above, the attacker may also take measures to prevent detection during the attack. One method is to rely on the confusion of the malicious code. Another method is to “hide” the malicious code to prevent detection. Generally, the attacker encrypts the malicious code into a cipher text, then includes the decryption method after the cipher text.