Friday, October 24, 2008

A new vector of malware attack?

In recent times malware attacks have focused on installing malware on target computers providing the attackers with access and control of the PCs but without disrupting necessarily their operations. The objective is to acquire large numbers of such computers to build so-called "bot nets" that can in turn be used for DDOS (Distributed Denial Of Service) attacks on specific sites or as distributed relays for email spam. Organized crime as well as intelligence agencies are known to possess such bot nets and use them. There were even cases of one bot net's malware attacking the bot net PCs of another to gain control of that competitor/enemy's assets.

The two most popular methods to acquire large number of enslaved PCs is through email. The first involves getting the recipient of the email to open an attachment, which then installs the malware on the recipient's PC. The second is to include URL links in the email message, which link to web sites that have malicious code on their pages. When the recipient lands on such a page the malware is installed. The web sites can be malicious web sites or ones that have been compromised by attackers and unaware of their role in the acquisition of bot nets.

Now there seems to be a third novel approach. You receive a phone call aiming at directing you to a web site with malicious code. One I've seen recently is pausing as a courier informing you that a package has been sent to you from XYZ Inc. The phone call provides an 888 number and a package reference number. Not recognizing the sender party, you search for them on the web, just to verify if it is something your colleagues or family members could have ordered. When you land on that web site's page the malware is installed on your PC. If you use Google for web searches that vendor's web site is displayed with the Google warning "This site may harm your computer". Interestingly enough, not all the company sites found were marked by Google as such. I tried the same search with Cuil, Yahoo, and Viewzi. Cuil did not find the company. Yahoo found sites but none was marked with any warning, and Viewzi displayed screenshots of "20 Yahoo results" also without any warnings.

If you have seen similar calls recently let me know.

Labels: , ,