0

Today malware is mainly spread thanks to vulnerabilities exploited in browsers and their plugins. The attackers use JavaScript to target those vulnerabilities. Two examples of such attacks are drive-by download and buffer and stack overflow attacks. What is the difference between these 2 attacks ? They seem to be similar to me according to what I read by now.

  • 3
    Javascript might be part of some exploits which allow a drive-by download, but it is far from the only one. In fact, the most common attack vectors are browser plugins like Java or Flash. – Philipp Aug 14 '14 at 14:48
  • 2
    @Philipp thank you for the comment. Are add-ons also vectors of such attacks ? –  Aug 14 '14 at 14:51
  • 1
    Yes. There were various cases in the past of browser add-ons with vulnerabilities. The add-on installation system itself can also be a vulnerability. I have seen websites which try to trick the user into clicking OK for the installation of an addon which was actually malware. – Philipp Aug 14 '14 at 15:07
  • "stack overflow attacks" caught my attention. – Alfredo Osorio Aug 14 '14 at 21:18
  • What research have you done? Wikipedia has articles on these subjects: https://en.wikipedia.org/wiki/Drive-by_download and https://en.wikipedia.org/wiki/Buffer_overflow. You might start by reading them, and by searching on this site (see, e.g., http://security.stackexchange.com/q/64286/971 and [tag:drive-by-download] and [tag:buffer-overflow]). If your question is answered by Wikipedia, by other questions on this site, or by standard sources of information on security, you probably haven't done enough research before asking. – D.W. Aug 14 '14 at 21:46

3 Answers3

4

"Drive-by-download" refers to the behaviour of the malware: it will (attempt to) infect the user during normal interaction with a web page.

Buffer and stack overflow, on the other hand, are two technics used to attack a vulnerable application. They are not limited to the web in any way. (any software that takes some form of input - i.e. all software - is potentially vulnerable).

So a malware might spread through drive-by-download by leveraging a stack overflow in a vulnerable component.

Stephane
  • 18,557
  • 3
  • 61
  • 70
1

A drive-by-download isn't an attack. It just means that the malware will be automatically downloaded and executed without the user doing anything (I.E. You only have to visit a site for you to be infected). It may well be delivered via a JS exploit.

This differentiates it from user-initiated malware, where a website will trick you into downloading and running something (say, a fake antivirus).

Chris Murray
  • 1,275
  • 11
  • 17
0

(1) Drive-By-Download Attack

A 'drive-by-download' attack is a malware delivery technique that is triggered simply because the user visited a website. A drive-by download Malware will usually take advantage of (or “exploit”) a browser, app, or operating system that is out of date and has a security flaw.

http://blogs.sophos.com/2014/03/26/how-malware-works-anatomy-of-a-drive-by-download-web-attack-infographic/

You might receive a link in an email, text message, or social media post that tells you to look at something interesting on a site. When you open the page, while you are enjoying the article or cartoon, the download is installing on your computer.

http://blogs.mcafee.com/consumer/drive-by-download

(2) Stack Buffer Overflow Attack

The Stack Buffer Overflow attack results from input that is longer than the implement or intended.

http://www.cse.scu.edu/~tschwarz/coen152_05/Lectures/BufferOverflow.html

There are three common varieties of buffer overflow attacks: stack attacks, format string attacks, and heap attacks . Each attack is similar but affects a different part of a computer's memory .

(a) Stack Attacks

The perpetrator adds more data than expected to the stack, overwriting data that the programmer thought would never be in any danger of being replaced.

(b) Format String Attacks

Involves a much smaller change than the stack buffer overflow .Format string attacks usually add a single address in memory that points to another address in memory where the attacker has added new instructions to execute

(c) Heap Attacks

The heap attack does not involve the stack at all .Pages in the heap can be read from and written to, and attackers take advantage of this by writing attack instructions into the pages in the heap, then tricking the computer into following these instructions .

http://www.watchguard.com/infocenter/editorial/135136.asp

  • Probably worth explicitly noting that the two are not mutually exclusive - one's a vector, the other a technique. – Bobson Aug 14 '14 at 20:37