The article gives an overview of the techniques most commonly used in the malware spread. Some times it is also termed as infection vectors that are commonly used by malicious software to infect a victim’s system. Brief examples re-used to illustrate how these infections work and how malware used them in the past.

{This information is educational purpose only.}

MalWare spread

MalWare spread[]

Exploiting Vulnerable Services

One of the most common use tactics by the malware is to exploit the vulnerable services over the Network. Network services running on a server provide shared resources and services to clients in a network.For example, a DNS service provides the capabilities of resolving host names to IP addresses, a file server provides shared storage on the network. Many operating systems are shipped with a variety of network services that are already installed and running. Vulnerabilities in such services might allow an attacker to execute the code on the machine that is providing the service. Large installation bases of services like by Microsoft, that share the same vulnerability pave the way for automatic exploitation. Thus, such conditions allow malicious software to infect accessible systems automatically. This characteristic makes network service exploitation the preferred method for infection by worms. Moreover, services that provide system access to remote users, and authenticate these users with passwords (e.g., ssh, administrative web interfaces, etc.), are frequently exposed to so-called dictionary attacks. Such an attack iteratively tries to log into a system using passwords stored in a dictionary.

Drive-by downloads.

Drive-by downloads usually target a victim’s web browser. By exploiting a vulnerability in the web browser application, a drive-by download is able to fetch malicious code from the web and subsequently execute it on the victim’s machine. This usually happens without further interaction with the user. In contrast to exploiting vulnerabilities in network services in which push-based infection schemes are dominant, drive-by downloads follow a pull-based scheme. The connections are initiated by the client as it is actively requesting the malicious contents. Therefore, firewalls that protect network services from unauthorized access cannot mitigate the threat of drive-by attacks. Currently, two different techniques are observed in the open that might lead to a drive-by infection: api misuse and exploiting web browser vulnerabilities.

Software API misuse:

If a certain API allows for downloading an arbitrary file from the Internet, and another API provides the functionality of executing a random file on the local machine, the combination of these two APIs can lead to a drive-by infection. The widespread usage of browser plug-ins usually gives attackers a huge portfolio of APIs that they might use and combine for their malformed purposes in un-intended ways.

Exploiting web browser vulnerabilities:

This attack vector is identical to the case of exploitable network services. Moreover,the availability of client-side scripting languages, such as Javascript or VBScript, provide the attacker with additional means to successfully launch an attack.

Before a drive-by download can take place, a user is first required to visit the malicious site. In order to convince user into visiting the malicious site, attackers perform social engineering and send spam emails that contain links to these sites or infect existing web pages with the malicious code. For example, the infamous Storm worm makes use of its own botnet resources to send spam emails containing links to such attack pages .

To maximize the number of sites that host such drive-by attacks, attackers exploit vulnerabilities in web applications that allow them to manipulate these web sites. This is an example in which attackers use the infection vector of vulnerable network services to launch drive-by download attacks on clients of that service (e.g., a web site). Another technique for attackers to lure users to their web sites is by trying to cheat the ranking algorithms web search engines use, to sort result pages. An attacker may create a page that is specifically instrumented to rank high for common search query terms. If the page is listed on a top position for these query terms, it will result in a large number of visitors. Researchers discovered that more than 1.3% of results to Google search queries include at least one page that tries to install malicious software on a visitor’s machine. It was also analyzed the techniques malware authors apply to lure a user to open a connection to a host that performs drive-by download attacks. The most prevalent forms of such actions are circumventing web-server security measures, providing user generated content, advertising schemes, and malicious widgets.

Social Engineering.

All techniques that basically lure a user into deliberately executing malicious code on her machine, possibly under false pretenses, are assumed as social engineering attacks. There are virtually no limits to the creativity of attackers when social engineering is involved. Asking the user to install a provided “codec” to view the movie that is hosted on the current web site, clicking and opening an image that is attached to a spam email, or speculating that the user plugs a “found” USB key into his/her computer eventually  are just a few examples of social engineering.If you ask me the black belt in hackers are the one are best at conducting social engineering attacks.