File storage

The article "Modern Internet attacks" is provided by Sophos Plc and SophosLabs.

August 2007

Spreading malicious content through email is a common weakness of email attacks because it allows organizations to deal with the threat by implementing strict filtering policies on incoming mail. This allows you to either block content or check it much more carefully. Malware creators often use mass-scale spam mailing lists, which include not only the main component (a backdoor program for stealing passwords or a keylogger — a keyboard spy) but also a Trojan downloader. Its only purpose is loading (usually through HTTP) and executing other content. Using a downloader gives several advantages to malware creators:

  • Separation of email messages and major malicious components.

    The load function can be implemented in a very compact binary file in many different ways. This makes it easy to create malicious files that can pass through the mail protection system. Moreover, the download does't necessarily start right after the disseminated downloader is launched. The delay makes it more difficult to detect malicious activity on the infected computer. This also lets creators escape from various behavior analysis technologies used on the computer.

  • Modification of remote content (of the main component).

    The order of attack can be easily changed by changing the content placed by the final URL. Usually it is done by the means of server atomatization. It lets you create multiple threat variations. Usually they are implemented by repacking, reencryption or automated recompilation, as a result hundreds of unique variations are created. Monitoring malicious software located at static URLs allows you to track the frequency of its updates. The use of automation is obvious. Many script families are updated several times a day, and some notorious families are rebuilt with 1-4 days intervals.

  • Phased download.

    The loader doesn't need to load the main component at once. The download mechanism can use other downloader components that load content from various domains. Often the downloader gets only the configuration file which contains further instructions regarding the download.

Table 1. Average update rate of malware families during a 30-day period.

This mechanism describes one of the most common ways of using the Internet for spreading malware. In fact, here the Internet is used as a file storage from which the needed content can be loaded. The use of automation for frequent software updates, combined with multilayer download that involves several domains, often leads to creation of highly complex infecting mechanisms, where numerous malware components and URLs are used. For malware creators, such techniques create a highly flexible environment.

Over the past two years, companies working in the field of security have recorded a sharp increase in the number of Trojan downloaders [17]. There are many such Trojan families. One of the most famous among them is Clagger [18]. This family has been modified many times to avoid being detected by antivirus software. Since February 2007, almost 80 unique variations have been detected (for example, Mal/Clagger). This downloader is usually distributed through email spam, which is seen from the time distribution of received samples (fig. 2), where bursts of activity coincide with waves of attacks. A large proportion of Clagger downloaders has been distributed to download and install malware from another infamous family, Cimuz, used for collecting Internet banking credentials [19].

Fig. 2. Distribution of Clagger samples detected since February 2007.

In 2007, there was a growth of spam emails containing just a link instead of attachments. To make the recipient click on the link, social engineering tools were used. Usually such page contains malicious script that loads and runs malware when the user visits the page.

The recent growth in eCard [20, 21, 22] spam emails is a perfect example of this type of attacks. If the user clicks a link in an email message, they go to the page similar to the one shown in Figure 3.

Fig. 3. The page displayed when the user clicks the link in the spam Mal/Dorf message.

The page contains malicious script (detected as Troj/JSXor-Gen [23]) which tries to use a number of browser vulnerabilities (see Figure 4) for downloading and running malicious Dorf [24] components. A compromised computer can be used for further spamming and hosting malicious pages (the messages sent from such computer will contain a link to it). In other Internet attacks, similar JSXor-Gen scripts are used. They are loaded when the user visits a compromised site (see section 3.1). All this serves as another proof that the Internet is a very flexible tool of attack.

Fig. 4. Snapshot of JSXor-Gen script used in a Dorf attack (top: decoded script, below: the original script).