McAfee: Malware Hides Behind Legitimate Companies

Trends in malware delivery include exploitation of affiliate advertising programs of legitimate Web sites, the anti-virus vendor says.

Individuals responsible for spreading nefarious adware and spyware programs are increasingly using legitimate Web sites to deliver their work to unsuspecting users, according to new research published by McAfee.

According to a report published by the anti-virus software maker on Sept. 11, adware and spyware brokers are more actively using the affiliate advertising programs offered by many Web sites to hide their code, leaving users exposed to unseen threats ultimately distributed by innocent companies.

McAfee, in Santa Clara, Calif., said the use of so-called online front companies, or Web sites made to appear as if they represent legitimate enterprises that have actually been built specifically to dispense malicious programs, is also on the rise among malware code writers.

Perhaps even more disturbing, given the existence of such fraudulent Web sites, was McAfees finding that 97 percent of the people it recently surveyed could not differentiate consistently between legitimate URLs and sites created to spread adware and spyware.

/zimages/1/28571.gifClick here to read more about how hackers cash in on hijacked PCs.

The statistic is particularly worrisome in light of the growing use of faked sites and phishing schemes that emulate the Web pages of established online businesses such as eBay and PayPal, McAfee researchers observed.

In addition to the attacks on large online businesses, McAfee said malware writers are finding vulnerabilities on the Web sites of smaller, regional firms and using those loopholes to steal money directly from the accounts of people who unknowingly hand over personal information such as screen names and passwords. More targeted attacks such as these are harder to detect, as they seek to steal from smaller groups of people, according to Dave Marcus, security researcher and communications manager for McAfees Avert Labs division.

"These targeted threats are far more sophisticated than what we have typically seen in the past, as they involve a lot more legwork to find the vulnerability at a certain company and then write an attack that specifically targets their customers and features all the same graphics of the business own site," Marcus said. "This is evidence of a far more strategic approach to malware, as we see the criminals thinking two or three moves down the line, and it involves a far more businesslike mentality."

Marcus said smaller Web sites that utilize affiliate advertising programs to draw in revenues have become a breeding ground for many different types of malware programs, as many have readily available vulnerabilities and often appear completely innocuous to users. The sites may be used to deliver adware and spyware for months or even years before researchers discover the issue and warn the Webmasters, unlike copies of larger firms sites, which tend to get shut down or cleaned quickly.

Since 2003, McAfee said, it has watched the number of individual adware strains rise by over 1,000 percent, with a sharp increase during the last six months. Many times the attacks involve the use of free software programs that install malware onto users computers in addition to the other applications they offer. Hidden and vague end user licensing agreements offered with the programs leave people vulnerable to long-term problems with the attacks, as they become hard to opt out of once installed, Marcus said.

/zimages/1/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

The large numbers of software vulnerabilities being reported regularly by companies such as Microsoft have also made it easier for attackers to find sites that remain unpatched and can be used to piggyback their malware, McAfee reported.

One of the emerging threats highlighted in the report is the growing use of attacks that combine malware rootkits with bot networks, allowing code writers to hide their programs on users computers for longer periods of time before they are discovered.

"The cutting edge of malware writers are combining things to more effectively cloak their work, and that means that theyre able to keep the business going for much longer if theyre careful," Marcus said. "Were also hearing about fewer major malware outbreaks, which leads us to believe that there are actually just more targeted attacks going on, far more zero-day attacks as well, and that some companies arent reporting these things when they are eventually discovered unless required to do so by some sort of law."

Another finding of the report was that attacks using the names and likenesses of celebrities to draw in users have become a more prevalent and effective approach than those using pornography or other sex-related advertising, and that the most prolific distributors of adware are currently using celebrity-oriented Web sites.

Adware also continues to become an even more profitable pursuit for code writers, according to the report, as evidenced by court testimony that recently convicted bot network operator Jeanson James Ancheta was being paid $150 for every 1,000 computers he could infect with his programs. Ancheta, 21, was sentenced to a three-year prison sentence by a California District Court judge in late August.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.