Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


How Malware Spreads - How your system gets infected

  • This topic is locked This topic is locked
No replies to this topic

#1 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,047 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:19 AM

Posted 17 January 2010 - 10:45 AM

Hackers, malware writers and attackers use a variety of methods, sophisticated techniques and malware vectors to spread their malicious programs. They rely heavily on social engineering and scams in order to infect computers. Spam emails are used by attackers in an attempt to trick the user into opening the email and clicking on links within it or opening a malicious email attachment. Attackers have been known to use exploits and exploit kits in order to craft Web pages to exploit vulnerabilities in system and application software and spread the threat via drive-by downloads and malvertising campaigns.

Hackers and malware writers come from different age groups, backgrounds, countries, education and skill levels...with varying motivations and intents. Most malware writers and cyber-criminals today treat it as a business venture for financial gain while "script kiddies" typically do it for the thrill and boosting a reputation as being a hacker among their peers. Below are a few articles which attempt to explain who these individuals are and why they do what they do.

Keep in mind that the severity of infection will vary from system to system, some causing more damage than others especially when dealing with rootkits. The longer malware remains on a computer, the more opportunity it has to download additional malicious files and/or install malicious extensions for Internet browsers which can worsen the infection so each case should be treated on an individual basis. Severity of system infection will also determine how the disinfection process goes.
:step1: Rogue security programs are one of the most common sources of malware infection. They infect machines by using social engineering and scams to trick a user into spending money to buy a an application which claims to remove malware. They typically use bogus warning messages and alerts to indicate that your computer is infected with spyware or has critical errors as a scare tactic to goad you into downloading a malicious security application to fix it. The alerts can mimic system messages so they appear as if they are generated by the Windows Operating System. It is not uncommon for malware writers to use the names of well known security tools and legitimate anti-virus programs as part of the name for bogus and fake software in order to trick people into using them. There were at least two rogues that used part of or all of the Malwarebytes name including this Fake and Bundled Malwarebytes Anti-Malware 2.0. There also were rogues for SmitfraudFixTool, VundoFixTool, Spybot Search and Destroy, Avira AntiVir and many more. Even Microsoft has been targeted by attackers using such names as MS Anti-virus and Windows Defender in naming schemes for rogue applications.

Rogue antispyware programs are responsible for launching unwanted pop ups, browser redirects and downloading other malicious files so the extent of the infection can vary to include backdoor Trojans, Botnets, IRCBots and rootkits which compromise the computer and make the infection more difficult to remove. For more specific information on how these types of rogue programs and infections install themselves, read:


:step2:  Ransomware is a sophisticated form of extortion in which the attacker either locks the computer to prevent access and demands money (ransom) to unlock it or encrypts a personal information (data files) and then demands money in exchange for a decryption key that can be used to retrieve the encrypted files. In most cases the greatest challenge to recovering the encrypted data has been the process of breaking the code of how the data is scrambled so it can be deciphered. Some forms of Ransomware act like rogue security software, generating bogus infection alerts and warnings to scare their victims. Older versions of ransomware typically claim the victim has done something illegal with their computer and that they are being fined by a police or government agency for the violation.


There are basically two types of ransomware. 1) File encrypting ransomware which incorporates advanced encryption algorithms that is designed to encrypt data files and demand a ransom payment from the victim in order to decrypt their data. 2) Locker ransomware which locks the victim out of the operating system so they cannot access their computer or it's contents to include all files, personal data, photos, etc. Although the files are not actually encrypted, the cyber-criminals still demand a ransom to unlock the computer. Master Boot Record ransomware is a variation of Locker ransomware which denies access to the full system by attacking low-level structures on the disk essentially stopping the computer's boot process and displaying a ransom demand. Some variants will actually encrypt portions of the hard drive itself.


As noted above, Crypto malware (file encryptor ransomware) uses some form of encryption algorithms that prevents users from recovering files unless they pay a ransom or have backups of their data. Once the encryption of the data is complete, decryption is usually not feasible without contacting and paying the developer for a solution. Crypto malware typically encrypts any data file that the victim has access to since it generally runs in the context of the user that invokes the executable and does not need administrative rights. It typically will scan and encrypt whatever data files it finds on computers connected in the same network with a drive letter including removable drives, network shares, and even DropBox mappings...if there is a drive letter on your computer it will be scanned for data files and encrypt them. US-CERT Alert (TA13-309A) advises that many ransomware infections have the ability to find and encrypt files located within network drives, shared (mapped network paths), USB drives, external hard drives, and even some cloud storage drives if they have a drive letter. Some crypto malware will scan all of the drive letters that match certain file extensions and when it finds a match, it encrypts them. Other crypto malware will use a white list of excluded folders and extensions that it will not encrypt. By using a white list, such ransomware will encrypt almost all non-system and non-executable related files that it finds.

The first known ransomware attack was the AIDS Trojan spread via floppy disks in 1989. Although Crypto malware has been around for many years, the original CryptoLocker which appeared in the beginning of September 2013 gave it widespread media attention because it demonstrated how these infections could generate a large amount of revenue for their creators. Crypto malware ransomware typically propagates itself as a Trojan, although  Zcrypt was a self-replicating virus Hybrid distributed via malicious email attachments, then spread through removable USB drives and WannaCry was a worm distributed via an email malspam campaign that spread by exploiting vulnerabilities in the Windows operating system. Numerous variants of encrypting ransomware have been reported between 2013 and 2016.  

Crypto malware and other forms of ransomware are typically spread and delivered through social engineering (trickery) and user interaction...opening a malicious email attachments (usually from spam, an unknown or unsolicited source), clicking on a malicious link within an email or on a social networking site and scams. Crypto malware can be disguised as fake PDF files in email attachments which appear to be legitimate correspondence from reputable companies such as banks and other financial institutions, or phony FedExand UPS notices with tracking numbers. Attackers will use email addresses and subjects (purchase orders, bills, complaints, other business communications) that will entice a user to read the email and open the attachment. Another method involves tricking unwitting users into opening Order Confirmation emails by asking them to confirm an online e-commerce order, purchase or package shipment. Social engineering has become on of the most prolific tactics for distribution of malware, identity theft and fraud.

Attackers will use Shortened malicious URLs to mask a malicious link, obfuscating a malicious destination and malicious code (script) injection (i.e. JScript, JavaScript (.js) file). Another technique uses spam emails and social engineering to infect a system by enticing users to open an infected word document with embedded macro viruses and convince them to manually enable macros that allow the malicious code to run. Some victims have encountered crypto malware from ransomware malware executables, packaged NW.js application using JavaScript, spam containing attachments with zipped .js files or following a previous infection from one of several botnets such as Zbot (frequently used in the cyber-criminal underground) which downloads and executes the ransomware as a secondary payload from infected websites. Nemucod is a well-known JavaScript malware family that arrives via spam email and downloads additional malware to include ransomware variants.

Crypto malware can also be delivered via malvertising campaigns, non-malware (fileless) attacks, exploits, exploit kits and drive-by downloads when visiting compromised web sites...see US-CERT Alert (TA14-295A). An Exploit Kit is a malicious tool with pre-written code used by cyber criminals to exploit vulnerabilities (security holes) in outdated or insecure software applications and then execute malicious code. Currently the Angler, RIG, Magnitude, Neutrino, and Nuclear exploit kits are the most popular.

RaaS (Ransomware as a Service) is a ransomware hosted on the TOR network that allows "affiliates" to generate a ransomware and distribute it any way they want. The RaaS developer will collect and validate payments, issue decrypters, and send ransom payments to the affiliate, keeping 20% of the collected ransoms. Another scenario has involved attackers installing and spreading ransomware by targeted Remote Desktop or Terminal Services, especially on servers. The attacker brute forces weak passwords on computers running Remote Desktop (RDP) or Terminal Services. Once the attacker gains access to a target computer, they download and install a package that generates the encryption keys, encrypts the data files, and then uploads various files back to the hacker via the terminal services client.


Kaspersky has reported brute force attacks against RDP servers are on the rise.

There also have been reported cases where crypto malware has spread via YouTube ads and on social media, a popular venue where cyber-criminals can facilitate the spread of all sorts of malicious infections.

Most security experts will advise against paying the ransom demands of the malware writers because doing so only helps to finance their criminal enterprise and keep them in business. One of the reasons that folks get infected is because someone before them paid the bad guys to decrypt their data. The more people that pay the ransom, the more cyber-criminals are encouraged to keep creating ransomware for financial gain. Further, there is no guarantee that paying the ransom will actually result in the restoration (decryption) of your files. Since many victims know there is no guarantee with paying the ransom, some cyber-criminals offer customer support and live Support Chat to help with decryption. Then the question becomes...should I trust that support?


:step3: Infections spread by malware writers and attackers exploiting unpatched security holes or vulnerabilities in older versions of popular software such as Adobe, Java, Windows Media Player and the Windows operating system itself. Software applications are a favored target of malware writers who continue to exploit coding and design vulnerabilities with increasing aggressiveness.

Another PDF sample that exploits an unpatched vulnerability in Adobe Reader and Acrobat has been spotted in the wild...

Unpatched Adobe Vulnerability Is Still Being Exploited in the Wild

...your machine may still be vulnerable to attacks if you never bother to uninstall or remove older versions of the software...a malicious site could simply render Java content under older, vulnerable versions of Sun's software if the user has not removed them....

Hole in Patch Process
Ghosts of Java Haunt Users
BlackHole toolkit enables attackers to exploit security holes in order to install malicious software

If a website has been hacked or displays malicious ads, they can exploit the vulnerable software on your computer.

The majority of computers get infected from visiting a specially crafted webpage that exploits one or multiple software vulnerabilities. It could be by clicking a link within an email or simply browsing the net, and it happens silently without any user interaction whatsoever.

Web Exploits

Exploit kits are a type of malicious toolkit used to exploit security holes found in software applications...for the purpose of spreading malware. These kits come with pre-written exploit code and target users running insecure or outdated software applications on their computers.

Tools of the Trade: Exploit Kits

To help prevent this, install and use Secunia Personal Software Inspector (PSI), a FREE security tool designed to detect vulnerable and out-dated programs/plug-ins which expose your computer to malware infection.

:step4: A large number of infections are contracted and spread by visiting gaming sites, porn sites, using pirated software (warez), cracking tools, hacking tools and keygens where visitors may encounter drive-by downloads through exploitation of a web browser or an operating system vulnerability. Security researchers looking at World of Warcraft and other online games have found vulnerabilities that exploit the system using online bots and rootkit-like techniques to evade detection in order to collect gamer's authentication information so they can steal their accounts.

Dangers of Gaming Sites:

The design of online game architecture creates an open door for hackers...hackers and malware hoodlums go where the pickings are easy -- where the crowds gather. Thus, Internet security experts warn game players that they face a greater risk of attack playing games online because few protections exist....traditional firewall and antimalware software applications can't see any intrusions. Game players have no defenses...Online gaming sites are a major distribution vehicle for malware....

MMO Security: Are Players Getting Played?
Malware Makers Target Online Games to Spread Worms
Microsoft warns game developers of cyber thieves
online game + online trade = Trojan Spy
Real Flaws in Virtual Worlds: Exploiting Online Games

Dangers of Cracking & Keygen Sites:

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

Dangers of Warez Sites:

...warez/piracy sites ranked the highest in downloading spyware...just opening the web page usually sets off an exploit, never mind actually downloading anything. And by the time the malware is finished downloading, often the machine is trashed and rendered useless.

University of Washington spyware study
:step5: Infections spread by using torrent, peer-to-peer (P2P) and file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. In some cases the computer could be turned into a botnet or zombie. File sharing networks are thoroughly infected and infested with malware according to Senior Virus Analyst, Norman ASA. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites.

Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware.

Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. Hackers are also known to exploit Flash vulnerabilities which can lead to malware infection. When visiting a website that hosts an HTML page which requires a Flash script, users may encounter a malicious Flash redirector or malicious script specifically written to exploit a vulnerability in the Flash Interpreter which causes it to execute automatically in order to infect a computer.

Keep in mind that even legitimate websites can display malicious ads and be a source of malware infection.

...Internet users are 21 times more likely to become infected by visiting a legitimate online shopping site than by visiting a site used for illegal file-sharing...The problem isn't in the sites themselves; it's in the ads...

Mainstream Websites More Likely to Harbor Malware

...According to Ciscos annual 2013 Security Report internet users are 182 times more likely to get malware from clicking on online ads than visiting a porn site...

Clicking Online Ads More Likely To Deliver Malware Than Surfing Porn Sites
Cisco Annual Security Report: Threats Step Out of the Shadows

:step6: Infection can also spread by visiting popular social sites and through emails containing links to websites that exploit security hole's in your web browser. When you click on an infected email link or spam, Internet Explorer launches a site that stealthy installs a Trojan so that it can run every time you startup Windows and download more malicious files. Email attachments ending with a .exe, .com, .bat, or .pif from unknown sources can be malicious and deliver dangerous Trojan downloaders, worms and viruses which can utilize your address book to perpetuate its spread to others.

At least one in 10 web pages are booby-trapped with malware...The tricks include hacking into a web server to plant malware, or planting it within third-party widgets or advertising...About eight out of every 10 Web browsers are vulnerable to attack by exploits...Even worse, about 30% of browser plug-ins are perpetually unpatched...

One in 10 web pages laced with malware
Bulk of browsers found to be at risk of attack

Researchers at the Global Security Advisor Research Blog have reported finding pornographic virus variants on Facebook. The Koobface Worm has been found to attack both Facebook and MySpace users. Virus Bulletin has reported MySpace attacked by worm, adware and phishing. Some MySpace user pages have been found carrying the dangerous Virut. Malware has been discovered on YouTube and it continues to have a problem with malware ads. MSN Messenger, AIM and other Instant Messaging programs are also prone to malware attacks.


:step7: Infections can spread when using a flash drive. In fact, one in every eight malware attacks occurs via a USB device. This type of infection usually involve malware that modifies/loads an autorun.inf (text-based configuration) file into the root folder of all drives (internal, external, removable) along with a malicious executable. Autorun.inf can be exploited to allow a malicious program to run automatically without the user knowing since it is a loading point for legitimate programs. When removable media such as a CD/DVD is inserted (mounted), autorun looks for autorun.inf and automatically executes the malicious file to run silently on your computer. For flash drives and other USB storage, autorun.ini uses the Windows Explorer's right-click context menu so that the standard "Open" or "Explore" command starts the file. Malware modifies the context menu (adds a new default command) and redirects to executing the malicious file if the "Open" command is used or double-clicking on the drive icon. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled. Keeping autorun enabled on USB and other removable drives has become a significant security risk as they are one of the most common infection vectors for malware which can transfer the infection to your computer.

To learn more about this risk, please read:

Many security experts recommend you disable Autorun as a method of prevention and to Maximize the Protection of your Removable Drives. Microsoft recommends doing the same.

Note: If using Windows 7, be aware that in order to help prevent malware from spreading, the Windows 7 engineering team made important changes and improvements to AutoPlay so that it will no longer support the AutoRun functionality for non-optical removable media.

:step8: Other types of infections spread by downloading malicious applets, Clickjacking or by visiting legitimate web sites that have been compromised through various hacking techniques (i.e. Cross-Site Scripting, Cross-Site Request Forgery) used to host and deliver malware via malicious code, automated SQL Injection (injecting HTML code that will load a JavaScript redirector) and exploitation of the browser/operating system vulnerabilities.

...More than 90 percent of these webpages belong to legitimate sites that have been compromised through hacking techniques such as SQL Injection...Hackers are apparently planting viruses into websites instead of attaching them to email. Users without proper security in place get infected by simply clicking on these webpages.

One webpage gets infected by virus every 5 seconds

:step9: Phishing is an Internet scam that uses spoofed email and fraudulent Web sites which appear to come from or masquerade as legitimate sources. The fake emails and web sites are designed to fool respondents into disclosing sensitive personal or financial data which can then be used by criminals for financial or identity theft. The email directs the user to visit a web site where they are asked to update personal information such as passwords, user names, and provide credit card, social security, and bank account numbers, that the legitimate organization already has. Spear Phishing is a highly targeted and coordinated phishing attack using spoofed email messages directed against employees or members within a certain company, government agency, organization, or group. These fraudulent emails and web sites, however, may also contain malicious code which can spread infection.

 Pharming is a technique used to redirect as many users as possible from the legitimate commercial websites they intended to visit and lead them to fraudulent ones. The bogus sites, to which victims are redirected without their knowledge, will likely look the same as a genuine site. However, when users enter their login name and password, the information is captured by criminals. Pharming involves Trojans, worms, or other technology that attack the browser and can spread infection. When users type in a legitimate URL address, they are redirected to the criminal's web site. Another way to accomplish these scam is to attack or "poison the DNS" (domain name system) rather than individual machines. In this case, everyone who enters a valid URL will instead automatically be taken to the scammer's site.


:step10: Tech Support Scamming through unsolicited phone calls, browser pop-ups and emails from "so-called Support Techs" advising "your computer is infected with malware", “All Your Files Are Encrypted" and other fake "alert messages" has become an increasing common scam tactic over the past several years. The scams may involve web pages with screenshots of fake Microsoft (Windows) Support messages, fake reports of suspicious activity, fake warnings of malware found on your computer, fake ransomware and fake BSODs most of which include a tech support phone number to call in order to fix the problem. If you call the phone number (or they called you), scammers will talk their victims into allowing them remote control access of the computer so they can install a Remote Access Trojan in order to steal passwords and other sensitive personal information which could then be used to access bank accounts or steal a person's identity.

For more information about how these scams work and resources to protect yourself, please read Beware of Phony Emails & Tech Support Scams.

Finally, backing up infected files, is a common source of reinfection if they are restored to your computer. Generally, you can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or by adding double file extensions and/or space(s) in the file's name to hide the real extension as noted here so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions.

Now that you know How malware spreads, you may want to read Best Practices for Safe Computing - Prevention which includes tips to protect yourself against malware infection.

Edited by quietman7, 22 November 2018 - 12:41 PM.

Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users