The role of the internet in the modern malware

The article "Modern Internet attacks" is provided by Sophos Plc and SophosLabs.

August 2007

Over the past two years, malware has been using the Internet increasingly. The scale of this phenomenon goes far beyond malicious scripts embedded in web pages. Here are a few examples:

  • Numerous Trojan downloaders use the Internet as a file storage downloading other malicious files over HTTP.

  • Malicious scripts hosted on attacking sites are waiting for users of vulnerable browsers and use their vulnerabilities to infect the user's computer.

  • Compromised sites are a convenient tool for spreading malicious code.

  • Spam messages and bait sites are used to make the user run malicious code.

  • Malware can lead useful traffic redirection. Modern Internet advertising is a multibillion business [13,14]. Increasing the Internet traffic volume of the site by redirecting the users allows organizations and individuals to earn money with partner marketing [15].

Applications that are embedded in the browser and display targeted advertisements are usually called adware [16]. Currently, such software is widespread and is often included in other applications ("software funded by advertising"). Usually, installing adware allows you to earn money through so-called partner schemes or schemes with payment for installation. Registered partners include the installation package in their application that connects to the adware site to download remaining components of the adware application. When connecting the server can receive the partner's details, which allows the partner to receive payment. This mechanism can be easily used by creators of malicious programs that install adware on compromised computers without notifying the user. A detailed description of adware concept can be found in various sources, so it isn't described in this document.

For creators of malware, Internet is an ideal environment that allows various combinations of the techniques described above. Modern threats use spam and web baits with scripts that use vulnerabilities to ensure efficient infection of the users' computers. Fig. 1 shows an overview of some key roles the Internet plays in modern malware attacks.

Fig. 1. An overview of the various ways the internet is used in modern malware. The internet can serve both as a plain file store (used by Trojan downloaders), as well as a base for attacking sites that use browser vulnerabilities to infect the user's computers when they visit a compromised site (drive-by download).

These roles are described in this document with examples of various malware attacks.