How Malware Spreads - How Do You Get Infected

[Wingman]

How Malware Spreads - How Do You Get Infected
Information provide by Security Expert Quietman7 - Microsoft MVP - Consumer Security 2007-2014

Hackers, malware writers and attackers use a variety of methods, sophisticated techniques and malware vectors to spread their malicious programs. They rely heavily on social engineering in order to infect computers. Spam emails are used by attackers in an attempt to trick the user into opening the email and clicking on links within it or opening a malicious email attachment. Attackers have been known to use exploit packs in order to craft Web pages to exploit vulnerabilities in system and application software and spread the threat in a drive-by downloads.
* Malware Infection Vectors: Past, Present, and Future

Hackers, malware writers and attackers also have a variety of motives for installing malevolent software.
* Who creates malware and why?
* Origin of Malware
* How malware penetrates systems
* What malware needs to thrive

Keep in mind that the severity of infection will vary from system to system, some causing more damage than others especially when dealing with rootkits. The longer malware remains on a computer, the more opportunity it has to download additional malicious files and/or install malicious extensions for Internet browsers which can worsen the infection so each case should be treated on an individual basis. Severity of system infection will also determine how the disinfection process goes.


1. Rogue security programs are one of the most common sources of malware infection. They infect machines by using social engineering and scams to trick a user into spending money to buy a an application which claims to remove malware. They typically use bogus warning messages and alerts to indicate that your computer is infected with spyware or has critical errors as a scare tactic to goad you into downloading a malicious security application to fix it. The alerts can mimic system messages so they appear as if they are generated by the Windows Operating System. It is not unusual for malware writers to use the names of popular and legitimate security programs as part of the name for a fake anti-virus software in order to trick people into using them. There are at least two rogue security programs that use part of or all of the Malwarebytes name. There are also rogues for SmitfraudFixTool, VundoFixTool, Spybot Search and Destroy, Avira AntiVir and many more. Even Microsoft has been targeted by attackers using such names as Microsoft Security Essentials, MS Anti-virus for their programs and incorporating the names Defender, XP, and Vista into naming schemes for other rogue applications.

Rogue antispyware programs are responsible for launching unwanted pop ups, browser redirects and downloading other malicious files so the extent of the infection can vary to include backdoor Trojans, Botnets, IRCBots and rootkits which compromise the computer and make the infection more difficult to remove. For more specific information on how these types of rogue programs and infections install themselves, read:
* Anatomy of a malware scam
* How does rogue security software get on my computer?
* How to Tell If That Pop-Up Window Is Offering You a Rogue Anti-Malware Product
* Social engineering in action: how web ads can lead to malware

Ransomware (aka crypto malware) is a sophisticated form of extortion in which the attacker encrypts a victim's personal information (data files) and then demands money (ransom) in exchange for a decryption key that can be used to retrieve the encrypted files. In most cases the greatest challenge to recovering the encrypted data has been the process of breaking the code of how the data is scrambled so it can be deciphered. Some forms of Ransomware act like rogue security software, generating infection alerts and warnings as shown here.
* Symantec: Ransomware A Growing Menace
* TechNet Blogs: The past year has been one of expansion for ransomware
* McAfee Blog: Ransomware

Newer ransomware variants are encrypting files using a RSA encryption which utilizes both a Public and Private key pair. Once the encryption of the data is complete, decryption is not feasible...you need the Private RSA key corresponding to the Public RSA key which is generated and contained (in the registry) on the infected computer. The Private key is stored on the malware developer's command and control server which makes access to it, and the restoration of the affected files near impossible.
* US-CERT: CryptoLocker Ransomware Infections
* BC CryptoLocker Ransomware Information Guide and FAQ
* CryptoLocker a new ransomware variant
* Krebs: How To Avoid CryptoLocker Ransomware

Ransomware is typically spread through social engineering...by opening a malicious email attachment (usually from an unknown or unsolicited source) or when clicking a malicious link in an email message, an instant message or on a social networking site. However, ransomware can also be installed through a computer worm that enters through a network vulnerability or when visiting a malicious website. Business and corporate environments with many users are especially susceptible to ransomware infection since they deal with extensive amounts of sensitive and financial data.


2. Infections spread by malware writers and attackers exploiting unpatched security holes or vulnerabilities in older versions of popular software such as Adobe, Java, Windows Media Player and the Windows operating system itself. Software applications are a favored target of malware writers who continue to exploit coding and design vulnerabilities with increasing aggressiveness.
* Kaspersky Lab report: Evaluating the threat level of software vulnerabilities
* Time to Update Your Adobe Reader
* Malware exploits Windows Media Player vulnerabilities
* Eight out of every 10 Web browsers are vulnerable to attack by exploits

Another PDF sample that exploits an unpatched vulnerability in Adobe Reader and Acrobat has been spotted in the wild...

Unpatched Adobe Vulnerability Is Still Being Exploited in the Wild

...your machine may still be vulnerable to attacks if you never bother to uninstall or remove older versions of the software...a malicious site could simply render Java content under older, vulnerable versions of Sun's software if the user has not removed them....

Hole in Patch Process
Ghosts of Java Haunt Users
BlackHole toolkit enables attackers to exploit security holes in order to install malicious software

If a website has been hacked or displays malicious ads, they can exploit the vulnerable software on your computer.

The majority of computers get infected from visiting a specially crafted webpage that exploits one or multiple software vulnerabilities. It could be by clicking a link within an email or simply browsing the net, and it happens silently without any user interaction whatsoever.

Web Exploits

Exploit kits are a type of malicious toolkit used to exploit security holes found in software applications...for the purpose of spreading malware. These kits come with pre-written exploit code and target users running insecure or outdated software applications on their computers.

Exploit Kits - Anatomy of an exploit kit

To help prevent this, install and use Secunia Personal Software Inspector (PSI), a FREE security tool designed to detect vulnerable and out-dated programs/plug-ins which expose your computer to malware infection.


3. A large number of infections are contracted and spread by visiting gaming sites, porn sites, using pirated software (warez), cracking tools, hacking tools and keygens where visitors may encounter drive-by downloads through exploitation of a web browser or an operating system vulnerability. Security researchers looking at World of Warcraft and other online games have found vulnerabilities that exploit the system using online bots and rootkit-like techniques to evade detection in order to collect gamer's authentication information so they can steal their accounts.

Dangers of Gaming Sites:

The design of online game architecture creates an open door for hackers...hackers and malware hoodlums go where the pickings are easy -- where the crowds gather. Thus, Internet security experts warn game players that they face a greater risk of attack playing games online because few protections exist....traditional firewall and antimalware software applications can't see any intrusions. Game players have no defenses...Online gaming sites are a major distribution vehicle for malware....

MMO Security: Are Players Getting Played?
Malware Makers Target Online Games to Spread Worms
Microsoft warns game developers of cyber thieves
online game + online trade = Trojan Spy
Real Flaws in Virtual Worlds: Exploiting Online Games

Dangers of Cracking & Keygen Sites:

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

Dangers of Warez Sites:

...warez/piracy sites ranked the highest in downloading spyware...just opening the web page usually sets off an exploit, never mind actually downloading anything. And by the time the malware is finished downloading, often the machine is trashed and rendered useless.

University of Washington spyware study

Dangers of Porn Sites:

Websites related to pornography that appear to be compromised were found by Trend Micro engineers loading malicious JavaScript which redirects users onto malicious domains that ultimately lead to the download of an MBR rootkit onto the affected system.

Porn Sites Lead to MBR Rootkit


4. Infections spread by using torrent, peer-to-peer (P2P) and file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. In some cases the computer could be turned into a virus honeypot or zombie. File sharing networks are thoroughly infected and infested with malware according to Senior Virus Analyst, Norman ASA. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites.

* Risks of File-Sharing Technology
* P2P file sharing: Know the risks
* Peer-to-Peer: A Growing Tactic Used for Threat Command-and-Control
* More malware is traveling on P2P networks these days

Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware.

Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. Hackers are also known to exploit Flash vulnerabilities which can lead to malware infection. When visiting a website that hosts an HTML page which requires a Flash script, users may encounter a malicious Flash redirector or malicious script specifically written to exploit a vulnerability in the Flash Interpreter which causes it to execute automatically in order to infect a computer.

* Analyzing and Detecting Malicious Flash Advertisements
* Malvertising: The Use of Malicious Ads to Install Malware - Example: Malicious Flash Banner Ad
* Macromedia Flash Player Lets Malicious Flash Media Files Execute Scripts
* Attackers exploit latest Flash bug

Keep in mind that even legitimate websites can display malicious ads and be a source of malware infection.

...Internet users are 21 times more likely to become infected by visiting a legitimate online shopping site than by visiting a site used for illegal file-sharing...The problem isn't in the sites themselves; it's in the ads...

Mainstream Websites More Likely to Harbor Malware

...According to Ciscos annual 2013 Security Report internet users are 182 times more likely to get malware from clicking on online ads than visiting a porn site...

Clicking Online Ads More Likely To Deliver Malware Than Surfing Porn Sites
Cisco Annual Security Report: Threats Step Out of the Shadows


5. Infection can also spread by visiting popular social sites and through emails containing links to websites that exploit security hole's in your web browser. When you click on an infected email link or spam, Internet Explorer launches a site that stealthy installs a Trojan so that it can run every time you startup Windows and download more malicious files. Email attachments ending with a .exe, .com, .bat, or .pif from unknown sources can be malicious and deliver dangerous Trojan downloaders, worms and viruses which can utilize your address book to perpetuate its spread to others.

At least one in 10 web pages are booby-trapped with malware...The tricks include hacking into a web server to plant malware, or planting it within third-party widgets or advertising...About eight out of every 10 Web browsers are vulnerable to attack by exploits...Even worse, about 30% of browser plug-ins are perpetually unpatched...

One in 10 web pages laced with malware
Bulk of browsers found to be at risk of attack

Researchers at the Global Security Advisor Research Blog have reported finding pornographic virus variants on Facebook. The Koobface Worm has been found to attack both Facebook and MySpace users. Virus Bulletin has reported MySpace attacked by worm, adware and phishing. Some MySpace user pages have been found carrying the dangerous Virut. Malware has been discovered on YouTube and it continues to have a problem with malware ads.

* Conficker worm's copycat Neeris spreading over IM
* IM attacks get nastier
* MSN Most Dangerous IM Client in 2007
* IM attacks up nearly 80%


6. Infections can spread when using a flash drive. In fact, one in every eight malware attacks occurs via a USB device. This type of infection usually involve malware that modifies/loads an autorun.inf (text-based configuration) file into the root folder of all drives (internal, external, removable) along with a malicious executable. When removable media such as a CD/DVD is inserted (mounted), autorun looks for autorun.inf and automatically executes the malicious file to run silently on your computer. For flash drives and other USB storage, autorun.ini uses the Windows Explorer's right-click context menu so that the standard "Open" or "Explore" command starts the file. Malware modifies the context menu (adds a new default command) and redirects to executing the malicious file if the "Open" command is used or double-clicking on the drive icon. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled. Keeping autorun enabled on USB and other removable drives has become a significant security risk as they are one of the most common infection vectors for malware which can transfer the infection to your computer.

To learn more about this risk, please read:
* When is AUTORUN.INF really an AUTORUN.INF?
* Nick Brown's blog: Memory stick worms
* USB-Based Malware Attacks

Many security experts recommend you disable Autorun as a method of prevention and to Maximize the Protection of your Removable Drives. Microsoft recommends doing the same.
* Microsoft Security Advisory (967940): Update for Windows Autorun
* Microsoft Article ID: 971029: Update to the AutoPlay functionality in Windows

Note: If using Windows 7, be aware that in order to help prevent malware from spreading, the Windows 7 engineering team made important changes and improvements to AutoPlay so that it will no longer support the AutoRun functionality for non-optical removable media.


7. Other types of infections spread by downloading malicious applets, Clickjacking or by visiting legitimate web sites that have been compromised through various hacking techniques (i.e. Cross-Site Scripting, Cross-Site Request Forgery) used to host and deliver malware via malicious code, automated SQL Injection (injecting HTML code that will load a JavaScript redirector) and exploitation of the browser/operating system vulnerabilities.

* JavaScript SQL Injection
* Taxonomy of Online Security and Privacy Threats
* Malicious website evolution
* Malicious HTML Tags Embedded in Client Web Requests
* Rogue JavaScript code infecting Web sites
* IFrame Hack (PHP Exploit)
* Vulnerabilities Allow Attacker to Impersonate Any Website
* SQL Injection Overview- Threat and Vulnerability Mitigation: SQL Injection

...More than 90 percent of these webpages belong to legitimate sites that have been compromised through hacking techniques such as SQL Injection...Hackers are apparently planting viruses into websites instead of attaching them to email. Users without proper security in place get infected by simply clicking on these webpages.

One webpage gets infected by virus every 5 seconds


8. Phishing is an Internet scam that uses spoofed email and fraudulent Web sites which appear to come from or masquerade as legitimate sources. The fake emails and web sites are designed to fool respondents into disclosing sensitive personal or financial data which can then be used by criminals for financial or identity theft. The email directs the user to visit a web site where they are asked to update personal information such as passwords, user names, and provide credit card, social security, and bank account numbers, that the legitimate organization already has. Spear Phishing is a highly targeted and coordinated phishing attack using spoofed email messages directed against employees or members within a certain company, government agency, organization, or group. These fraudulent emails and web sites, however, may also contain malicious code which can spread infection.


9. Pharming is a technique used to redirect as many users as possible from the legitimate commercial websites they intended to visit and lead them to fraudulent ones. The bogus sites, to which victims are redirected without their knowledge, will likely look the same as a genuine site. However, when users enter their login name and password, the information is captured by criminals. Pharming involves Trojans, worms, or other technology that attack the browser and can spread infection. When users type in a legitimate URL address, they are redirected to the criminal's web site. Another way to accomplish these scam is to attack or "poison the DNS" (domain name system) rather than individual machines. In this case, everyone who enters a valid URL will instead automatically be taken to the scammer's site.


10. Finally, backing up infected files, is a common source of reinfection if they are restored to your computer. Generally, you can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions.

Now that you know How malware spreads, you may want to read Best Practices for Safe Computing - Prevention which includes tips to protect yourself against malware infection.[/h1]