Features

The type of virus that downs millions of computers worldwide is almost unheard of these days, but that doesn't mean the threat has evaporated - it's merely evolved.

Drive-by downloads

The goal of a typical web-based attack is to install malware on the victim's PC. One of the most common methods used today is the injection of malicious code into otherwise innocuous web pages - the so-called drive-by download. This involves squirting code directly into a program or script from an external source to await execution. So it's possible to create a text file containing PHP code relating to server A, and have it executed on the exploited server B. One of the reasons code injection is so popular is the availability of kits that can be bought online, making it easy to create malicious code to install spyware, viruses or launch phishing attacks.

Once an appropriate web host is found, the code is injected and the victim is lured by being redirected from another site or via a link embedded in spam. "In a typical attack," Fraser Howard, principal virus researcher at Sophos, explains "the hacker will have embedded additional iframes onto the web page, often indiscernible to your average web user. These iframes silently load content, which usually attempts to exploit browser vulnerabilities in order to infect the victim's PC."

While many of these drive-by downloads are hosted on custom domains registered and set up specifically for the job, a growing number of cybercriminals are injecting malicious code onto legitimate

ADVERTISEMENT

web pages. "During the week before the Miami Dolphins were due to host the Super Bowl earlier this year, malicious code was hosted on the team's website as hackers tried to take advantage of the influx of visitors to the site," said Howard. Another tactic is to compromise a web server, as this enables the hackers to inject their code into many sites in a single strike, again increasing the number of potential victims.

Worms

Worms come in several species, but can be divided into four main categories. Email worms are the most prevalent and typically spread as a file attachment, hijacking the email system and sending themselves to the entire contacts list. "They often rely on social-engineering tricks to tempt the user into running the attached file," says David Emm, senior technology consultant at Kaspersky Lab. "Or the worm's code may be embedded as script in an HTML email message, or arrive as a link to malicious code."

Internet worms spread directly over the internet or LAN. "They get a foothold on the system by exploiting an OS or application vulnerability, and then look for other vulnerable systems to infect," explains Emm. IM worms use links within the messaging software to infect local contact lists, while P2P worms target file-sharing system users with the worm copying itself to a shared folder and letting the P2P network do the rest.

Regular security updates - such as the Microsoft Patch Tuesday run - are worm killers, since they reduce the vulnerabilities left to exploit. As a result, the good news is that "worms account for just a small percentage of today's threats, around 5%," according to Emm.

Trojans

The weapon of choice for the criminal malware underground is the trojan. According to Symantec, "increasingly, trojans are the first stage of an attack, and their primary purpose is to stay hidden while downloading and installing a stronger threat such as a bot. Trojans are crimeware, and the creation and distribution of these programs is on the rise. Along with spyware, they're now 37% of all the malware Symantec processes on a weekly basis."