Social media attacks dominate first half of 2010 malware trends 8 July, 2010 By Mark Cox

PromoPipeline Exclusive Channel Promotions Find Out How You Can Make Money Today! ENROLL FREE! >> Factory Direct Should Not be Cheaper William Vanderbilt - Innovative Learning Channels Cloud Ecosystem II: A Candid Conversation with Oracle Beth Vanni - Amazon Consulting Cloud Ecosystem: A Candid Conversation with Rackspace Hosting Beth Vanni - Amazon Consulting Channel Manager Compensation William Vanderbilt - Innovative Learning Channels Financial Expertise William Vanderbilt - Innovative Learning Channels

"Cyber criminals are putting increasing emphasis on using social media platforms like Facebook and Twitter as effective 'spread mechanisms' for malicious software," said Arvid Gomez, Norman vice president, OEM and Technology. "In the past, they put nearly all of their efforts into compromising PC operating systems. As social media use becomes part of the fabric of our daily life, Internet users need to make certain they are taking the necessary steps to protect their privacy and security."

One example of social media malicious software gaining momentum in the first half of 2010 is W32/Koobface. Malware in the W32/Koobface family first appeared in 2008, became widespread during 2009, and continues to be a major threat to Facebook users in 2010.

A computer infected by Koobface automatically sends messages with malicious links to the computer owner's contacts on various social networking sites. The worm will search through cookies on the computer looking for login credentials for various social networking sites. Using the information gathered from the cookies, the worm connects to these sites and starts sending messages to friends and contacts.

Norman security experts also note that fake antivirus programs continued to plague many home PC and business users. Rogue antimalware programs have been around for a long time. In recent years however, they have become increasingly widespread, and represent a major problem. These programs can be difficult to eradicate, as they often consist of many different malicious elements.

The most-used spreading mechanism for rogue antimalware programs is "drive-by infections" delivered from visiting web sites. A popular technique is to manipulate search engines to display results from web sites that are infected by fake antimalware. The rogue programs often focus on "hot" search words, which might include major events, like the World Cup, and other topics such as celebrities and entertainment that people usually search heavily. Also new, non-planned events are ideal for search engine manipulation.

In the "good old days" of malicious programs, security organizations and users faced a less complex malware threat. The most-used technique for a malware author was to create one malicious program, using different techniques for propagation. Now, Norman experts see malware cocktails as the general trend. These cocktails are composed of a whole range of different types of malicious programs, as well as the same types with various malicious functionalities.

Such malware cocktails are often delivered with a rootkit, which makes detection significantly more challenging. A rootkit is typically malicious software which is designed to gain administrator-level control over a computer system without being detected.

One malware cocktail that was a big problem in the first half of 2010 was the TDSS program. TDSS is malicious software designed to hide the existence of any process on the infected machine in order to perform harmful and dangerous actions. TDSS may also replace essential system executable files, which may then be used to hide processes and files installed by the attackers.

Thus, the challenge for "the good guys" is fundamentally changed as it no longer suffices to detect and remove one specific malicious program. Other parts of the malware cocktail may still be active on the infected computer/network and re-infect and/or download new components. This severely complicates the task of cleaning infected systems.

Of course, tried-and-true malware like Conficker is still kicking around and should not be taken lightly. The Conficker worm first appeared near the end of 2008, and the Conficker family of worms reached its peak in 2009. However, it was still a major problem for many users during the first half of 2010.

W32/Conficker exists in several variants and is a network propagating worm that has the ability to update itself by downloads from the Internet. These downloads are from a subset of servers chosen by the worm from a large set of potential download servers.