From Simple Mail to Hypertext

Posted by   Virus Bulletin on   Mar 31, 2008

HTTP and FTP take over from SMTP as common malware spreading methods.

A report from F-Secure has highlighted the recent shift in malware spreading methods from email to web-based methods.

For many years, malware authors' preferred method of spreading their wares was to send out masses of emails that contained a piece of malware as an attachment. A suggestion in the body of the email that the attached file would somehow be of interest to the recipient then led to millions of naive users installing trojans such as Bagle and Mydoom onto their systems.

But better awareness among users, many of whom now know not to open email attachments unless they are sure of the contents, combined with the fact that many organisations now block all email containing .exe attachments, has forced malware writers to find new ways to spread their 'products'. The new preferred method seems to be the web.

There are several ways of getting malware to install itself on users' computers through the web, F-Secure reports. One way is to lure users into visiting a malicious web link sent in a spam message, while another is to create dummy websites containing many keywords and then wait for users to click links to these sites when they occur in search engine results.

An even more stealthy way of infecting users through drive-by downloads is to hack into popular legitimate websites and include a small iframe or piece of JavaScript code that uses vulnerabilities in the browser and operating systems to install malware on users' computers. Recently we reported on a mass iframe-injection that affected many popular websites, including that of at least one anti-virus vendor. Practising common sense here isn't sufficient to stay safe and the only way users can defend themselves against such attacks is by making sure their anti-virus software is up to date and their system is properly patched.

"It is important to be aware of this shift from SMTP to HTTP infections, which can be exploited by the criminals in many ways," F-Secure writes. "Companies often measure their risk of getting infected by looking at the amount of stopped attachments at their email gateway. Those numbers are definitely going down, but the actual risk of getting infected probably isn't."

The report concludes by warning that the number of emails that contain links to malware-serving FTP links is growing and urges individuals and companies to filter not only HTTP traffic but FTP traffic as well.

Posted on 31 March 2008 by Virus Bulletin

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2019 conference programme announced

VB is excited to reveal the details of an interesting and diverse programme for VB2019, the 29th Virus Bulletin International Conference, which takes place 2-4 October in London, UK.

VB2018 paper: Under the hood - the automotive challenge

Car hacking has become a hot subject in recent years, and at VB2018 in Montreal, Argus Cyber Security's Inbar Raz presented a paper that provides an introduction to the subject, looking at the complex problem, examples of car hacks, and the…

VB2018 paper and video: Android app deobfuscation using static-dynamic cooperation

Static analysis and dynamic analysis each have their shortcomings as methods for analysing potentially malicious files. Today, we publish a VB2018 paper by Check Point researchers Yoni Moses and Yaniv Mordekhay, in which they describe a method that…

VB2019 call for papers closes this weekend

The call for papers for VB2019 closes on 17 March, and while we've already received many great submissions, we still want more!

Registration open for VB2019 ─ book your ticket now!

Registration for VB2019, the 29th Virus Bulletin International Conference, is now open, with an early bird rate available until 1 July.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.