NEWS FROM THE LAB - Friday, March 7, 2008

From SMTP to HTTP to FTP Posted by Mikko @ 10:03 GMT

A year or two ago, the malware author's preferred way of spreading their wares was via e-mail attachments. We all remember mass outbreaks like Bagle, Mydoom and Warezov.

Well, sending EXE attachments in e-mail doesn't work anymore. Almost every organization is now dropping such risky attachments from their e-mail traffic.

So virus writers have made a clear shift away from e-mail attachments to the Web: drive-by-downloads. This attack often still starts with an e-mail spam run; there's just no attachments in the e-mail anymore as it has been replaced by a web link.

Some of these malicious web sites use exploits to infect you just by visiting a web page, others use compelling stories to fool you into downloading and running a program from the page.

Many have missed this shift of attacks from e-mail to the web. There's a lot of companies measuring their risk of getting infected by looking at the amount of stopped attachments at their e-mail gateway. Those numbers are definitely going down, but the actual risk of getting infected probably isn't.

Those organizations that are not scanning their web traffic for malware should seriously consider starting to do it, right now.

However, virus writers are moving again. We're now seeing more and more malicious e-mails that link to malware — not via HTTP but via FTP links.

Case in point, a fake Hallmark greeting card spam we saw today:


As you can see, the link takes you to an owned computer which has an FTP site setup on it.


And when the executable is downloaded, it turns out to be a Zapchast mIRC-bot variant.


Better make sure your gateway scanner is configured to scan FTP traffic as well. Our F-Secure Internet Gatekeeper does this by default.