BleepingComputer.com: How Malware Spreads - How did I get infected

Hackers, malware writers and attackers have a variety of motives for installing malevolent software and use various methods and sophisticated techniques to spread their malicious programs:

• Who creates malware and why?
  
• Origin of Malware

Rogue security programs are one of the most common sources of malware infection. They infect machines by using social engineering and scams to trick a user into spending money to buy a an application which claims to remove malware. They typically use bogus warning messages and alerts to indicate that your computer is infected with spyware or has critical errors as a scare tactic to goad you into downloading a malicious security application to fix it. The alerts can mimic system messages so they appear as if they are generated by the Windows Operating System. It is not unusual for malware writers to use the names of popular and legitimate security programs as part of the name for a fake anti-virus software in order to trick people into using them. There are at least two rogue security programs that use part of or all of the Malwarebytes name. There are also rogues for SmitfraudFixTool, VundoFixTool, Spybot Search and Destroy, Avira AntiVir and many more. Even Microsoft has been targeted by attackers using such names as Microsoft Security Essentials, MS Anti-virus for their programs and incorporating the names Defender, XP, and Vista into naming schemes for other rogue applications.

Rogue antispyware programs are responsible for launching unwanted pop ups, browser redirects and downloading other malicious files so the extent of the infection can vary to include backdoor Trojans, Botnets, IRCBots and rootkits which compromise the computer and make the infection more difficult to remove. For more specific information on how these types of rogue programs and infections install themselves, read:

• Anatomy of a malware scam
  
• How does rogue security software get on my computer?
  
• How to Tell If That Pop-Up Window Is Offering You a Rogue Anti-Malware Product
  
• Social engineering in action: how web ads can lead to malware

Infections spread by malware writers and attackers exploiting unpatched security holes or vulnerabilities in older versions of popular software such as Adobe, Java, Windows Media Player and the Windows operating system itself. Software applications are a favored target of malware writers who continue to exploit coding and design vulnerabilities with increasing aggressiveness.

• Time to Update Your Adobe Reader
  
• Analyzing and Detecting Malicious Flash Advertisements
  
• Microsoft: ‘Unprecedented Wave of Java Exploitation’
  
• Eight out of every 10 Web browsers are vulnerable to attack by exploits

Quote

Unpatched Adobe Vulnerability Is Still Being Exploited in the Wild

Quote

Hole in Patch Process
Ghosts of Java Haunt Users

Quote

If a website has been hacked or displays malicious ads, they can exploit the vulnerable software on your computer. To help prevent this, install and use Secunia Personal Software Inspector (PSI), a FREE security tool designed to detect vulnerable and out-dated programs/plug-ins which expose your computer to malware infection.


A large number of infections are contracted and spread by visiting gaming sites, porn sites, using pirated software (warez), cracking tools and keygens where visitors may encounter drive-by downloads through exploitation of a web browser or an operating system vulnerability. Security researchers looking at World of Warcraft and other online games have found vulnerabilities that exploit the system using online bots and rootkit-like techniques to evade detection in order to collect gamer's authentication information so they can steal their accounts.

Dangers of Gaming Sites:

Quote

MMO Security: Are Players Getting Played?
Malware Makers Target Online Games to Spread Worms
Microsoft warns game developers of cyber thieves
online game + online trade = Trojan Spy
Real Flaws in Virtual Worlds: Exploiting Online Games

Dangers of Cracking & Keygen Sites:

Quote

Keygen and Crack Sites Distribute VIRUX and FakeAV

Dangers of Warez Sites:

Quote

University of Washington spyware study

Dangers of Porn Sites:

Quote

Porn Sites Lead to MBR Rootkit


Infections spread by using torrent, peer-to-peer (P2P) and file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. File sharing networks are thoroughly infected and infested with malware according to Senior Virus Analyst, Norman ASA. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. Hackers are also known to exploit Flash vulnerabilities which can lead to malware infection. When visiting a website that hosts an HTML page which requires a Flash script, users may encounter a malicious Flash redirector or malicious script specifically written to exploit a vulnerability in the Flash Interpreter which causes it to execute automatically in order to infect a computer.

• Analyzing and Detecting Malicious Flash Advertisements
  
• Macromedia Flash Player Lets Malicious Flash Media Files Execute Scripts
  
• Attackers exploit latest Flash bug

Infection can also spread by visiting popular social sites and through emails containing links to websites that exploit security hole's in your web browser. When you click on an infected email link or spam, Internet Explorer launches a site that stealthy installs a Trojan so that it can run every time you startup Windows and download more malicious files. Email attachments ending with a .exe, .com, .bat, or .pif from unknown sources can be malicious and deliver dangerous Trojan downloaders, worms and viruses which can utilize your address book to perpetuate its spread to others.

Quote

One in 10 web pages laced with malware
Bulk of browsers found to be at risk of attack

Researchers at the CA Security Advisor Research Blog have reported finding MySpace user pages carrying the dangerous Virut url. The Koobface Worm has beem found to attack both Facebook and MySpace users. YouTube users have been exploited by the Storm Worm. MSN Messenger, AIM and other Instant Messaging programs are also prone to malware attacks.

• Conficker worm's copycat Neeris spreading over IM
  
• IM attacks get nastier
  
• MSN Most Dangerous IM Client in 2007
  
• IM attacks up nearly 80%

Infections can spread when using a flash drive. In fact, one in every eight malware attacks occurs via a USB device. This type of infection usually involve malware that modifies/loads an autorun.inf (text-based configuration) file into the root folder of all drives (internal, external, removable) along with a malicious executable. When removable media such as a CD/DVD is inserted (mounted), autorun looks for autorun.inf and automatically executes the malicious file to run silently on your computer. For flash drives and other USB storage, autorun.ini uses the Windows Explorer's right-click context menu so that the standard "Open" or "Explore" command starts the file. Malware modifies the context menu (adds a new default command) and redirects to executing the malicious file if the "Open" command is used or double-clicking on the drive icon. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled. Keeping autorun enabled on USB and other removable drives has become a significant security risk as they are one of the most common infection vectors for malware which can transfer the infection to your computer. To learn more about this risk, please read:

• When is AUTORUN.INF really an AUTORUN.INF?
  
• Nick Brown's blog: Memory stick worms
  
• USB-Based Malware Attacks

Many security experts recommend you disable Autorun as a method of prevention and to Maximize the Protection of your Removable Drives. Microsoft recommends doing the same.

• Microsoft Security Advisory (967940): Update for Windows Autorun
  
• Microsoft Article ID: 971029: Update to the AutoPlay functionality in Windows

Note: If using Windows 7, be aware that in order to help prevent malware from spreading, the Windows 7 engineering team made important changes and improvements to AutoPlay so that it will no longer support the AutoRun functionality for non-optical removable media.


Other types of infections spread by downloading malicious applets, Clickjacking or by visiting legitimate web sites that have been compromised through various hacking techniques (i.e. Cross-Site Scripting, Cross-Site Request Forgery) used to host and deliver malware via malicious code, automated SQL Injection and exploitation of the browser/operating system vulnerabilities.

• Taxonomy of Online Security and Privacy Threats
  
• Malicious website evolution
  
• Malicious HTML Tags Embedded in Client Web Requests
  
• Rogue JavaScript code infecting Web sites
  
• IFrame Hack (PHP Exploit)
  
• Vulnerabilities Allow Attacker to Impersonate Any Website

Quote

One webpage gets infected by virus every 5 seconds

• SQL Injection Overview
  
• Threat and Vulnerability Mitigation: SQL Injection

Phishing is an Internet scam that uses spoofed email and fraudulent Web sites which appear to come from or masquerade as legitimate sources. The fake emails and web sites are designed to fool respondents into disclosing sensitive personal or financial data which can then be used by criminals for financial or identity theft. The email directs the user to visit a web site where they are asked to update personal information such as passwords, user names, and provide credit card, social security, and bank account numbers, that the legitimate organization already has. Spear Phishing is a highly targeted and coordinated phishing attack using spoofed email messages directed against employees or members within a certain company, government agency, organization, or group. These fraudulent emails and web sites, however, may also contain malicious code which can spread infection.

Pharming is a technique used to redirect as many users as possible from the legitimate commercial websites they intended to visit and lead them to fraudulent ones. The bogus sites, to which victims are redirected without their knowledge, will likely look the same as a genuine site. However, when users enter their login name and password, the information is captured by criminals. Pharming involves Trojans, worms, or other technology that attack the browser and can spread infection. When users type in a legitimate URL address, they are redirected to the criminal's web site. Another way to accomplish these scam is to attack or "poison the DNS" (domain name system) rather than individual machines. In this case, everyone who enters a valid URL will instead automatically be taken to the scammer's site.

Finally, backing up infected files, is a common source of reinfection if they are restored to your computer. Generally, you can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions.