What is a driveby download?

If you fall victim to malware, you might hear that the vector for infection is a “driveby download.” What is a driveby download, and how does it happen?

A driveby download is when you inadvertently or mistakenly download software. It may or may not actually execute, and it may or may not actually leave a persistent installation behind post-execution. Whether it does either or both of these things can depend on your user’s permissions on your computer, and also on the presence of software vulnerabilities. Driveby downloads may take advantage of vulnerabilities in your operating system or installed applications in order to perform a privilege escalation attack, where they can gain greater control over your computer than your current user actually has permissions for.

The most common way to fall victim to a driveby download is to visit an otherwise-innocent website that has been somehow compromised by an attacker. Like privilege escalation, there are many ways an attacker may do this, but the common feature is generally some Javascript in the page that causes your browser to redirect to a new website, often without you being aware that it’s happened. Javascript is not the only attack method; some attackers may also or instead use Java applets or ActiveX controls to deliver software.

Even if a driveby does not actually permanently install software, it can still cause damage. It may execute in memory only, and be used to send spam, conduct network scanning, or any other activity that a normal user of the system might perform. Some malware might, for example, connect to all your network drives and enumerate files you can see while logged in, evaluating them for confidential or personal information of a certain sort, and deliver those files back to the attacker.