TechnoBlogic

A year or two ago, most malware was spread via e-mail attachments, which resulted in mass outbreaks like Bagle, Mydoom and Warezov. Nowadays sending .EXE attachments in e-mail doesn’t work so well for the criminals because almost every company and organization is filtering out such risky attachments from their e-mail traffic.

The criminals’ new preferred way of spreading malware is by drive-by downloads on the Web. These attacks often still start with an e-mail spam run but the attachment in the e-mail has been replaced by a web link, which takes you to the malicious web site. So instead of getting infected over SMTP, you get infected over HTTP.

Infection by a drive-by download can happen automatically just by visiting a web site, unless you have a fully patched operating system, browser and browser plug-ins. Unfortunately, most people have some vulnerabilities in their systems. Infection can also take place when you are fooled into manually clicking on a download and running a program from the web page that contains the malware.

There are several methods criminals use to gather traffic to these websites. A common approach is to launch an e-mail spam campaign containing messages that tempt people to click on a link. Messages like “There is a video of you on YouTube”, or “You have received a greeting card”, or “Thank you for your order” have been popular baits.

Another method used by criminals is to create many web pages with thousands of different keywords which are indexed by Google, and then simply wait for people to visit these sites. So when you do a search for something innocuous like “knitting mittens” (as a random example), and click on a search result that looks just like all the others, you are actually getting your computer infected. Typically, an infection by an automatic exploit happens without you realizing it or seeing anything strange on the computer screen.

The third method of distributing malware involves the criminals hacking into existing high profile, high traffic web sites. Unlike the joke defacements that some hackers played on the front pages of prominent web sites in the past, today’s criminal hackers don’t change the front page at all. They simply insert a line of javascript on the front page which uses an exploit to infect your machine when you go there. Everything works and looks as normal.

This has happened to the web sites of some popular magazines which can have a million users every single day. People trust sites that are part of their daily routine, and they couldn’t suspect that anything bad could happen when they go there.

Another vector for drive-by downloads are infiltrated ad networks. We are seeing more and more advertising displayed on high-profile websites. By infiltrating the ad networks, the criminals don’t have to hack a site but their exploit code will still be shown to millions of users, often without the knowledge of the webmaster of those sites.

It is important to be aware of this shift from SMTP to HTTP infections, which can be exploited by the criminals in many ways. Companies often measure their risk of getting infected by looking at the amount of stopped attachments at their e-mail gateway. Those numbers are definitely going down, but the actual risk of getting infected probably isn’t.

Individuals and companies should therefore be scanning their web traffic for malware – as well as filtering their FTP traffic. In parallel to the switch from SMTP to HTTP as a way of spreading malware, we are now also seeing more and more malicious e-mails that link to malware via FTP links.

This report was an excerpt from our Quarterly Security Wrapup, which has been released today.

Download the full wrapup.

On 31/03/08 At 12:26 PM

A while ago we blogged about the MBR rootkit, which has been getting attention from all the security vendors. We’re glad to inform you that the latest version of the F-Secure BlackLight standalone rootkit scanner now detects MBR rootkit infections.

BlackLight has stood the test of time ever since it was released in the beginning of 2005. A new rootkit technique that has been able to evade detection has been a very rare event. The MBR rootkit is quite different from other rootkits we’ve seen over the years, so we had to add completely new technology into BlackLight to detect it successfully.

You can download standalone BlackLight here.

On 31/03/08 At 01:47 PM

A wave of April Fool’s Day related Storm mails have just been sent out. Similar as the other times with a link that points to an IP address.

On 31/03/08 At 07:45 PM

We’ve seen tons of banking trojans lately, but now we’ve run into something quite unique.

This new banking trojan was found today from a drive-by-download site. We’ve added detection for it as Win32.Pril.A

It not only infects the MBR of the machine, but also reflashes the boot code in the Flash BIOS, making disinfection problematic.

Once an infected machine is online, the trojan monitors the users actions, waiting him to go to go to one of several hundred online banks, located all over the world.

Once the user has logged on, the banking trojan uses PCMCIA to inject code into the VGA! As an end result, the trojan creates a man-in-the-browser attack against the victim.

Now, the really surprising part is what the trojan does. Normal banking trojans would insert extra transactions or change the deposit account numbers on-the-fly. However, Win32.Pril.A doesn’t withdraw money from you - it actually inserts money TO your account. This looked so weird we had to test it several times, on all of our accounts.

The drive-by-download site is still up. Normally, we wouldn’t list the URL for such a site, or we would at least obfuscate it in a screenshot. However this time we’ll make an exception. We will even make the link clickable: http://aprilbanking.cjb.net/

On 01/04/08 At 07:22 AM

While folks at the Xbox 360 repair lab know good and well how to strip a console back to its birthday suit, Microsoft is going the opposite direction with its limited run of Grand Theft Auto IV Elites. The console itself is purportedly blasted with automotive quality paint and each one is individually numbered. Apparently, […]

Now, we know the official story on the CeBIT Meizu shutdown was related to MP3 codec licensing, and not the M8’s iPhone-like UI. Still, it does seem strangely fortuitous that more pictures of the phone’s interface have just appeared that seem to showcase a move away from Apple’s familiar look. The Chinese site CNMO has […]

Apple’s CEO Steve Jobs has for years stood adamant about the business model employed by the iTunes Store. It would remain strictly pay-to-own. Nothing would change that. It is what has proven most successful for the company - despite the emergence of numerous buffet-style options in the digital download marketplace. Why try to amend or […]

After videos over protests in Tibet were posted, YouTube was blocked by the Chinese Government. China has at least 210 million(210,000,000) online surfers so the traffic to YouTube may, and probably will be decreasing. The protest videos are spreading on YouTube like STD’s at a college party.What will Google do to restore access […]

Pulled straight from the source!

Over the next year, Taiwan-based notebook PC maker Acer will start to produce desktop units under the Acer brand…and a senior Acer official told BetaNews yesterday that a PC-based game machine is one of the ideas being bandied about.NEW YORK CITY (BetaNews) - Right now, the Acer brand name is still […]

I was so lucky the other day. Sorry I haven’t made a post in a bit, but last Saturday I was bored and thought, what the hell. I picked up the phone and called the local Gamestop and asked if they had any Nintendo Wii’s in stock, turns out they had 1 used one in […]