Posted by Virus Bulletin on Mar 31, 2008
HTTP and FTP take over from SMTP as common malware spreading methods.
A report from F-Secure has highlighted the recent shift in malware spreading methods from email to web-based methods.
For many years, malware authors' preferred method of spreading their wares was to send out masses of emails that contained a piece of malware as an attachment. A suggestion in the body of the email that the attached file would somehow be of interest to the recipient then led to millions of naive users installing trojans such as Bagle and Mydoom onto their systems.
But better awareness among users, many of whom now know not to open email attachments unless they are sure of the contents, combined with the fact that many organisations now block all email containing .exe attachments, has forced malware writers to find new ways to spread their 'products'. The new preferred method seems to be the web.
There are several ways of getting malware to install itself on users' computers through the web, F-Secure reports. One way is to lure users into visiting a malicious web link sent in a spam message, while another is to create dummy websites containing many keywords and then wait for users to click links to these sites when they occur in search engine results.
An even more stealthy way of infecting users through drive-by downloads is to hack into popular legitimate websites and include a small iframe or piece of JavaScript code that uses vulnerabilities in the browser and operating systems to install malware on users' computers. Recently we reported on a mass iframe-injection that affected many popular websites, including that of at least one anti-virus vendor. Practising common sense here isn't sufficient to stay safe and the only way users can defend themselves against such attacks is by making sure their anti-virus software is up to date and their system is properly patched.
"It is important to be aware of this shift from SMTP to HTTP infections, which can be exploited by the criminals in many ways," F-Secure writes. "Companies often measure their risk of getting infected by looking at the amount of stopped attachments at their email gateway. Those numbers are definitely going down, but the actual risk of getting infected probably isn't."
The report concludes by warning that the number of emails that contain links to malware-serving FTP links is growing and urges individuals and companies to filter not only HTTP traffic but FTP traffic as well.
Posted on 31 March 2008 by Virus Bulletin