How Malware Spreads - How did I get infected

Hackers, malware writers and attackers have a variety of motives for installing malevolent software and use various methods and sophisticated techniques to spread their malicious programs:

• Who creates malware and why?
• Origin of Malware
• How malware penetrates systems
• What malware needs to thrive

Keep in mind that the severity of infection will vary from system to system, some causing more damage than others especially when dealing with rootkits. The longer malware remains on a computer, the more opportunity it has to download additional malicious files and/or install malicious extensions for Internet browsers which can worsen the infection so each case should be treated on an individual basis. Severity of system infection will also determine how the disinfection process goes.

Rogue security programs are one of the most common sources of malware infection. They infect machines by using social engineering and scams to trick a user into spending money to buy a an application which claims to remove malware. They typically use bogus warning messages and alerts to indicate that your computer is infected with spyware or has critical errors as a scare tactic to goad you into downloading a malicious security application to fix it. The alerts can mimic system messages so they appear as if they are generated by the Windows Operating System. It is not unusual for malware writers to use the names of popular and legitimate security programs as part of the name for a fake anti-virus software in order to trick people into using them. There are at least two rogue security programs that use part of or all of the Malwarebytes name. There are also rogues for SmitfraudFixTool, VundoFixTool, Spybot Search and Destroy, Avira AntiVir and many more. Even Microsoft has been targeted by attackers using such names as Microsoft Security Essentials, MS Anti-virus for their programs and incorporating the names Defender, XP, and Vista into naming schemes for other rogue applications.

Rogue antispyware programs are responsible for launching unwanted pop ups, browser redirects and downloading other malicious files so the extent of the infection can vary to include backdoor Trojans, Botnets, IRCBots and rootkits which compromise the computer and make the infection more difficult to remove. For more specific information on how these types of rogue programs and infections install themselves, read:

• Anatomy of a malware scam
• How does rogue security software get on my computer?
• How to Tell If That Pop-Up Window Is Offering You a Rogue Anti-Malware Product
• Social engineering in action: how web ads can lead to malware

Infections spread by malware writers and attackers exploiting unpatched security holes or vulnerabilities in older versions of popular software such as Adobe, Java, Windows Media Player and the Windows operating system itself. Software applications are a favored target of malware writers who continue to exploit coding and design vulnerabilities with increasing aggressiveness.

• Time to Update Your Adobe Reader
• Malware exploits Windows Media Player vulnerabilities
• Microsoft: Unprecedented Wave of Java Exploitation
• Eight out of every 10 Web browsers are vulnerable to attack by exploits

Another PDF sample that exploits an unpatched vulnerability in Adobe Reader and Acrobat has been spotted in the wild...

Unpatched Adobe Vulnerability Is Still Being Exploited in the Wild

...your machine may still be vulnerable to attacks if you never bother to uninstall or remove older versions of the software...a malicious site could simply render Java content under older, vulnerable versions of Sun's software if the user has not removed them....

Hole in Patch Process
Ghosts of Java Haunt Users
BlackHole toolkit enables attackers to exploit security holes in order to install malicious software

If a website has been hacked or displays malicious ads, they can exploit the vulnerable software on your computer. To help prevent this, install and use Secunia Personal Software Inspector (PSI), a FREE security tool designed to detect vulnerable and out-dated programs/plug-ins which expose your computer to malware infection.



A large number of infections are contracted and spread by visiting gaming sites, porn sites, using pirated software (warez), cracking tools and keygens where visitors may encounter drive-by downloads through exploitation of a web browser or an operating system vulnerability. Security researchers looking at World of Warcraft and other online games have found vulnerabilities that exploit the system using online bots and rootkit-like techniques to evade detection in order to collect gamer's authentication information so they can steal their accounts.

Dangers of Gaming Sites:

The design of online game architecture creates an open door for hackers...hackers and malware hoodlums go where the pickings are easy -- where the crowds gather. Thus, Internet security experts warn game players that they face a greater risk of attack playing games online because few protections exist....traditional firewall and antimalware software applications can't see any intrusions. Game players have no defenses...Online gaming sites are a major distribution vehicle for malware....

MMO Security: Are Players Getting Played?
Malware Makers Target Online Games to Spread Worms
Microsoft warns game developers of cyber thieves
online game + online trade = Trojan Spy
Real Flaws in Virtual Worlds: Exploiting Online Games

Dangers of Cracking & Keygen Sites:

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

Dangers of Warez Sites:

...warez/piracy sites ranked the highest in downloading spyware...just opening the web page usually sets off an exploit, never mind actually downloading anything. And by the time the malware is finished downloading, often the machine is trashed and rendered useless.

University of Washington spyware study

Dangers of Porn Sites:

Websites related to pornography that appear to be compromised were found by Trend Micro engineers loading malicious JavaScript which redirects users onto malicious domains that ultimately lead to the download of an MBR rootkit onto the affected system.

Porn Sites Lead to MBR Rootkit


Infections spread by using torrent, peer-to-peer (P2P) and file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. File sharing networks are thoroughly infected and infested with malware according to Senior Virus Analyst, Norman ASA. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware.

Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. Hackers are also known to exploit Flash vulnerabilities which can lead to malware infection. When visiting a website that hosts an HTML page which requires a Flash script, users may encounter a malicious Flash redirector or malicious script specifically written to exploit a vulnerability in the Flash Interpreter which causes it to execute automatically in order to infect a computer.

• Analyzing and Detecting Malicious Flash Advertisements
• Malvertising: The Use of Malicious Ads to Install Malware - Example: Malicious Flash Banner Ad
• Macromedia Flash Player Lets Malicious Flash Media Files Execute Scripts
• Attackers exploit latest Flash bug

Keep in mind that even legitimate websites can display malicious ads.

...Internet users are 21 times more likely to become infected by visiting a legitimate online shopping site than by visiting a site used for illegal file-sharing...The problem isn't in the sites themselves; it's in the ads...

Mainstream Websites More Likely to Harbor Malware

...According to Ciscos annual 2013 Security Report internet users are 182 times more likely to get malware from clicking on online ads than visiting a porn site...

Clicking Online Ads More Likely To Deliver Malware Than Surfing Porn Sites
Cisco Annual Security Report: Threats Step Out of the Shadows


Infection can also spread by visiting popular social sites and through emails containing links to websites that exploit security hole's in your web browser. When you click on an infected email link or spam, Internet Explorer launches a site that stealthy installs a Trojan so that it can run every time you startup Windows and download more malicious files. Email attachments ending with a .exe, .com, .bat, or .pif from unknown sources can be malicious and deliver dangerous Trojan downloaders, worms and viruses which can utilize your address book to perpetuate its spread to others.

At least one in 10 web pages are booby-trapped with malware...The tricks include hacking into a web server to plant malware, or planting it within third-party widgets or advertising...

About eight out of every 10 Web browsers are vulnerable to attack by exploits...Even worse, about 30% of browser plug-ins are perpetually unpatched...

One in 10 web pages laced with malware
Bulk of browsers found to be at risk of attack

Researchers at the CA Security Advisor Research Blog have reported finding MySpace user pages carrying the dangerous Virut url. The Koobface Worm has beem found to attack both Facebook and MySpace users. YouTube users have been exploited by the Storm Worm. MSN Messenger, AIM and other Instant Messaging programs are also prone to malware attacks.

• Conficker worm's copycat Neeris spreading over IM
• IM attacks get nastier
• MSN Most Dangerous IM Client in 2007
• IM attacks up nearly 80%

Infections can spread when using a flash drive. In fact, one in every eight malware attacks occurs via a USB device. This type of infection usually involve malware that modifies/loads an autorun.inf (text-based configuration) file into the root folder of all drives (internal, external, removable) along with a malicious executable. When removable media such as a CD/DVD is inserted (mounted), autorun looks for autorun.inf and automatically executes the malicious file to run silently on your computer. For flash drives and other USB storage, autorun.ini uses the Windows Explorer's right-click context menu so that the standard "Open" or "Explore" command starts the file. Malware modifies the context menu (adds a new default command) and redirects to executing the malicious file if the "Open" command is used or double-clicking on the drive icon. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled. Keeping autorun enabled on USB and other removable drives has become a significant security risk as they are one of the most common infection vectors for malware which can transfer the infection to your computer. To learn more about this risk, please read:

• When is AUTORUN.INF really an AUTORUN.INF?
• Nick Brown's blog: Memory stick worms
• USB-Based Malware Attacks

Many security experts recommend you disable Autorun as a method of prevention and to Maximize the Protection of your Removable Drives. Microsoft recommends doing the same.

• Microsoft Security Advisory (967940): Update for Windows Autorun
• Microsoft Article ID: 971029: Update to the AutoPlay functionality in Windows

Note: If using Windows 7, be aware that in order to help prevent malware from spreading, the Windows 7 engineering team made important changes and improvements to AutoPlay so that it will no longer support the AutoRun functionality for non-optical removable media.


Other types of infections spread by downloading malicious applets, Clickjacking or by visiting legitimate web sites that have been compromised through various hacking techniques (i.e. Cross-Site Scripting, Cross-Site Request Forgery) used to host and deliver malware via malicious code, automated SQL Injection (injecting HTML code that will load a JavaScript redirector) and exploitation of the browser/operating system vulnerabilities.

• JavaScript SQL Injection
• Taxonomy of Online Security and Privacy Threats
• Malicious website evolution
• Malicious HTML Tags Embedded in Client Web Requests
• Rogue JavaScript code infecting Web sites
• IFrame Hack (PHP Exploit)
• Vulnerabilities Allow Attacker to Impersonate Any Website

...More than 90 percent of these webpages belong to legitimate sites that have been compromised through hacking techniques such as SQL Injection...Hackers are apparently planting viruses into websites instead of attaching them to email. Users without proper security in place get infected by simply clicking on these webpages.

One webpage gets infected by virus every 5 seconds

• SQL Injection Overview
• Threat and Vulnerability Mitigation: SQL Injection

Phishing is an Internet scam that uses spoofed email and fraudulent Web sites which appear to come from or masquerade as legitimate sources. The fake emails and web sites are designed to fool respondents into disclosing sensitive personal or financial data which can then be used by criminals for financial or identity theft. The email directs the user to visit a web site where they are asked to update personal information such as passwords, user names, and provide credit card, social security, and bank account numbers, that the legitimate organization already has. Spear Phishing is a highly targeted and coordinated phishing attack using spoofed email messages directed against employees or members within a certain company, government agency, organization, or group. These fraudulent emails and web sites, however, may also contain malicious code which can spread infection.

Pharming is a technique used to redirect as many users as possible from the legitimate commercial websites they intended to visit and lead them to fraudulent ones. The bogus sites, to which victims are redirected without their knowledge, will likely look the same as a genuine site. However, when users enter their login name and password, the information is captured by criminals. Pharming involves Trojans, worms, or other technology that attack the browser and can spread infection. When users type in a legitimate URL address, they are redirected to the criminal's web site. Another way to accomplish these scam is to attack or "poison the DNS" (domain name system) rather than individual machines. In this case, everyone who enters a valid URL will instead automatically be taken to the scammer's site.

Finally, backing up infected files, is a common source of reinfection if they are restored to your computer. Generally, you can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions.

Now that you know How malware spreads, you may want to read Best Practices for Safe Computing - Prevention which includes tips to protect yourself against malware infection.