From Simple Mail to Hypertext

Posted by   Virus Bulletin on   Mar 31, 2008

HTTP and FTP take over from SMTP as common malware spreading methods.

A report from F-Secure has highlighted the recent shift in malware spreading methods from email to web-based methods.

For many years, malware authors' preferred method of spreading their wares was to send out masses of emails that contained a piece of malware as an attachment. A suggestion in the body of the email that the attached file would somehow be of interest to the recipient then led to millions of naive users installing trojans such as Bagle and Mydoom onto their systems.

But better awareness among users, many of whom now know not to open email attachments unless they are sure of the contents, combined with the fact that many organisations now block all email containing .exe attachments, has forced malware writers to find new ways to spread their 'products'. The new preferred method seems to be the web.

There are several ways of getting malware to install itself on users' computers through the web, F-Secure reports. One way is to lure users into visiting a malicious web link sent in a spam message, while another is to create dummy websites containing many keywords and then wait for users to click links to these sites when they occur in search engine results.

An even more stealthy way of infecting users through drive-by downloads is to hack into popular legitimate websites and include a small iframe or piece of JavaScript code that uses vulnerabilities in the browser and operating systems to install malware on users' computers. Recently we reported on a mass iframe-injection that affected many popular websites, including that of at least one anti-virus vendor. Practising common sense here isn't sufficient to stay safe and the only way users can defend themselves against such attacks is by making sure their anti-virus software is up to date and their system is properly patched.

"It is important to be aware of this shift from SMTP to HTTP infections, which can be exploited by the criminals in many ways," F-Secure writes. "Companies often measure their risk of getting infected by looking at the amount of stopped attachments at their email gateway. Those numbers are definitely going down, but the actual risk of getting infected probably isn't."

The report concludes by warning that the number of emails that contain links to malware-serving FTP links is growing and urges individuals and companies to filter not only HTTP traffic but FTP traffic as well.

Posted on 31 March 2008 by Virus Bulletin



Latest posts:

VBSpam tests to be executed under the AMTSO framework

VB is excited to announce that, starting from the Q3 test, all VBSpam tests of email security products will be executed under the AMTSO framework.

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.