Malware propagation is one of the most fascinating parts of the attackers activities and is attracting, besides the anger of the affected people, the most attention. It is the part where all the magic of infection and intrusion happens, where attackers release the malicious software to the wild and try to infect new victim systems as quickly or as targeted as possible; their victims are left wondering how the heck that could have happened.
The goal of this article is to give you an overview how and where attackers release malware. It will show you an overview about the common infection points where people get in first contact with malware and what action the software has to execute to initiate the infection process.
Method 1 : Sending the Trojan horse as email attachment
One of the oldest but still very effective ways people get infected is via email, by opening an attached file. Email is the most used way people communicate over the Internet. Almost everyone owns an email address and is using it regularly. It is easy to use, it’s accessible from everywhere where you have Internet access. Today, most email services are for free too.
As already mentioned sending malware as an email attachment was already a propagation method in the early days. The attacker prepared the Trojan horse, sent it to all the recipients on his list and waited until the infected systems connected back. Simple and straightforward. The only thing the recipient (the victim) had to do was to double-click the attachment to initiate the infection process. Back in the days anti virus software was not that wide spread as it is nowadays, the people were not that cautious and sensitised to this kind of threat. Many email users were only a double-click away from the infection.
Today as AV software is installed on virtually every computer and people are aware of the threat, that way of propagation still works surprisingly well. But things turn out slightly more difficult. An AV software doesn’t accept *.exe *.com *.bat or *.pif files anymore and it also checks archives like *.zip or *.rar files for executable files. If they contain files with suspicious file name extensions it rises a warning and interrupts the execution. But because there is still a big mass of potential victims among the email users that are obstinately ignoring any kind of warnings the infection rate is still high and for an attacker this archaic means is still promising and valuable.
Method 2 : Infection via browser bugs
The browser is doubtlessly the most used application on a computer. We use it to surf the Internet, to check our mails of course, to chat and many programs people had once installed locally on the computer is now loaded into the browser and ready to use, as for example text processing programs or spreadsheets. Browsers have a big importance and over the years their functionality and extensions grew and changed its usage enormously. With its quick development and the possibility to install plugins also the attack vector grew. Code reviews were conducted more often and not only on the browsers but also on the plugins what revealed many critical and also not so critical bugs. These circumstances also attracted the attackers attention and allowed them new ways to spread their malware. By leading a victim to a site that contains malicious HTML, scripting or plugin code an attacker can force the victims browser to execute hidden actions, force it to download and install the damage routine of the Trojan horse and to infect the system that way.
This is much more convenient than the variant with the infected attachment. An email containing a simple link to a homepage doesn’t seem suspicious and additionally it is a one-click-infection (instead of a double-click).
Method 3 : Removable data storage devices
There was once a time where the classic computer viruses propagation happened by sharing infected floppy discs and executing program files. To share and to execute was simply the only method. Even if floppy disks are not in use as data storage device anymore (maybe you’re still using it as boot device) the method itself is still in use. In the meantime CD-ROMs and USB memory sticks replaced the floppy discs almost completely and Microsoft introduced the Autorun feature that executes commands automatically when a newly connected data storage device is connected. This combination of removable storage devices and autoexecution revived the ancient propagation method and the USB memory sticks and CD-ROMs/DVDs served beside being data storage medium also as host to infect computers with malware.
Here is an example how the file autorun.inf has to look like :
[autorun] open=installMegapanzer.exe icon=myIcon.ico
This way of malware propagation was used a lot in the past and Microsoft and also other installed 3rd party software will trigger an alert if a data storage device is using the autorun feature. So this method is not that reliable anymore and has its restrictions.
Additionally and worth mentioning: A Trojan horse itself can, once running on a victims system, infect other writable USB data storage devices and so propagate in the old known manner as it happened with the floppy disks. Ancient but proven.
Method 4 : File sharing networks
Another common way to propagate malware is using the different internet based filesharing networks like Bittorrent, Emule, Limewire etc. An attacker tries to get hold of a new release of a popular software and injects his malicious code into the genuine software packet. After the initial infection the attacker offers the infected file to other users for download.
There are two advantages coming with this method:
- If a victim downloads the infected file he’s “expecting” an executable file and doesn’t become suspicious just because of its file extension. He “will” execute it after downloading.
- Once the file is downloaded by the first victim the availability of the file doubled. Two people offer the infected file now for download. What the attacker has to do is only to make sure he is using a popular software and the propagation will advance in a fast pace.
What’s coming up in the second article
The goal of the first part was to describe the methods how attackers propagate their malware by distributing it in an active way, by sending “something” to the victims expecting they have execute an action with this “something”. These ways are well known to all of us because the media permanently informs about the threats we are exposed to, the latest incidents that happend and is giving us the relevant background information. In the next article I will give you an understanding of how to inject the malware in a victims browsing session by taking over and controlling his data stream. More subliminal, more state-of-the-art, stay tuned.