[AI] Malware now takes the HTTP route...

Sudhir R (NeSTIT) sudhir.r at nestgroup.net
Wed Apr 2 02:07:08 EDT 2008


rediff.com

April 01, 2008 08:56 IST

The amount of new malware has never been higher, says F-Secure, a global provider of anti-virus and intrusion prevention solutions.

F-Secure said on Monday that its labs are receiving an average of 25,000 malware samples every day, seven days a week. 'If this trend continues, the total
number of viruses and Trojans will pass the one million mark by the end of 2008. While there are more viruses being created than ever before, people often
actually report seeing less of them,' F-Secure said.

One reason behind this illusion is that malware authors are once again changing their tactics in how to infect our computers. A year or two ago, most malware
was spread via e-mail attachments, which resulted in mass outbreaks like Bagle, Mydoom and Warezov. Nowadays sending .EXE attachments in e-mail doesn't
work so well for the criminals because almost every company and organisation is filtering out such risky attachments from their e-mail traffic.

The criminals' new preferred way of spreading malware is by drive-by downloads on the Web. These attacks often still start with an e-mail spam run but the
attachment in the e-mail has been replaced by a web link, which takes you to the malicious web site. So instead of getting infected over SMTP, you get
infected over HTTP.

Drive-by downloads

Infection by a drive-by download can happen automatically just by visiting a Web site, unless you have a fully patched operating system, browser and browser
plug-ins. Unfortunately, most people have some vulnerabilities in their systems. Infection can also take place when you are fooled into manually clicking
on a download and running a program from the web page that contains the malware.

There are several methods criminals use to gather traffic to these Web sites. A common approach is to launch an e-mail spam campaign containing messages
that tempt people to click on a link. Messages like 'There is a video of you on YouTube,' or 'You have received a greeting card,' or 'Thank you for your
order' have been popular baits.

Another method used by criminals is to create many web pages with thousands of different keywords which are indexed by Google, and then simply wait for
people to visit these sites.

So when you do a search for something innocuous like 'knitting mittens' (as a random example), and click on a search result that looks just like all the
others, you are actually getting your computer infected.

Typically, an infection by an automatic exploit happens without you realizing it or seeing anything strange on the computer screen.

The third method of distributing malware involves the criminals hacking into existing high profile, high traffic web sites.

Unlike the joke defacements that some hackers played on the front pages of prominent web sites in the past, today's criminal hackers don't change the front
page at all. They simply insert a line of javascript on the front page which uses an exploit to infect your machine when you go there. Everything works
and looks as normal.

This has happened to the Web sites of some popular magazines which can have a million users every single day. People trust sites that are part of their
daily routine, and they couldn't suspect that anything bad could happen when they go there.

Another vector for drive-by downloads is infiltrated ad networks. 'We are seeing more and more advertising displayed on high-profile Web sites. By infiltrating
the ad networks, the criminals don't have to hack a site but their exploit code will still be shown to millions of users, often without the knowledge of
the webmaster of those sites. Examples of where this has happened include TV4.se, Expedia, NHL, and MLB,' F-Secure said.

It is important to be aware of this shift from SMTP to HTTP infections, which can be exploited by the criminals in many ways. Companies often measure their
risk of getting infected by looking at the amount of stopped attachments at their e-mail gateway. Those numbers are definitely going down, but the actual
risk of getting infected probably is not, the anti-virus firm said.

Individuals and companies should therefore be scanning their Web traffic for malware -- as well as filtering their FTP traffic. In parallel to the switch
from SMTP to HTTP as a way of spreading malware, we are now also seeing more and more malicious e-mails that link to malware via FTP links.




More information about the AccessIndia mailing list