Malware bug

Anatomy of a malware attack

(Source: Stockfresh)

17 July 2014

There are five major stages to a malware attack, says security company Sophos, with the majority of infections coming from apparently legitimate sites.

SophosLabs says that it sees an average of 30,000 new malicious URLs every day. Among these, some 82% are compromised, legitimate web sites. Eighty-five percent of all malware, including viruses, worms, spyware, adware and Trojans, come from the Web, the company reports.

The infection exploits vulnerabilities in browsers and often takes place with no noticeable effects to the user. The initial malware redirects to an exploit server using fast-flux techniques based on what you’re working with (Windows/Mac, IE/Safari, Java, etc.), said Chris McCormack, senior product marketing manager, Sophos.

Commercially available and supported exploit packs will attempt to exploit vulnerabilities in the operating system (OS), browser, Java, PDF reader, media player and other plug-ins, reports McCormack. SophosLabs found 5,540 new vulnerabilities reported in 2013 alone.

Once infected, McCormack said that the malware downloads a malicious payload that will steal data or extort money. Sophos estimates that the total cost per data breach could reach $5.4 million (€4 million).

The five distinct stages to the malware infection, said McCormack, are entry point, distribution, exploit, infection, and execution.

With regard to how trusted web sites get hijacked, McCormack said web servers such as Apache and IIS, as well as their content management systems, have vulnerabilities. Savvy hackers using web site exploit tools can attack these vulnerabilities to inject malicious code into web pages. Users accessing the sites are then vulnerable to infection as the malware in turn looks for vulnerabilities in access tools.

One popular exploit tool, called Darkleech, is a rogue Apache module that allows attackers to dynamically inject malicious iFrames into web sites hosted on the servers.

From October 2012 to July 2013, Sophos found that more than 40,000 web sites were infected by Darkleech. Other web sites can be taken over through stolen login credentials. Many sites hosted by WordPress can be compromised using login credentials that are easily guessed or obtained through brute force attacks, warned McCormack.

Once hackers have the login credentials for your site, they can inject an endless stream of malware, he said.

For more details and advice on protection, see the Sophos whitepaper on the topic.


TechCentral Reporters

Read More:

Leave a Reply

Back to Top ↑