Quite regularly, I get feedback from our customers that they've found malware on their computer, and don't know how it got there.
While you may think this is due to malware exploiting unpatched bugs in the Windows operating system, it isn't: these customers are predominantly using OS X, and they usually have all the latest patches applied. However, the malware they're finding is indeed often for MS Windows operating systems.
So are they infected? How did it happen? How COULD it happen?
The real story is both simple and a bit disturbing: our scanners are detecting these files in a few key locations: the email cache folder, email attachments folder, web cache folder, web downloads folder, and the Java web cache folder. See a pattern here?
These people are victims of drive-by downloads and malicious spam campaigns. Without visiting any shady parts of the internet, they have managed to pick up a collection of malware that, if successfully run, would likely result in their computer becoming part of a botnet.
Now, seeing that most of the software won't run under their current configuration, this isn't as much of an issue... but that assumption only lasts as long as their configuration isn't being targeted.
Here is a sampling of what Mac users are currently seeing scattered across their cache and download folders:
Troj/Gida-A: drive-by Adobe Flash download that downloads and installs botnet software
- Exp/MS04-028: drive-by JPEG download (can also show up as a false positive in partial jpeg images as it's an exploit detection) that can execute privileged code on un-patched Windows computers
- Mal/JavaDldr-B: drive-by Java download that downloads and installs more malware
- Mal/Iframe-AD: drive-by malicious HTML IFrame used in SEO-poisoned search results (often image searches)
Mal/BredoZp-B: BredoLab botnet-generated, arrives via email
- Mal/ChepVil-A: BredoLab botnet-generated, arrives via email
- Troj/Invo-Zip: Zeus botnet-generated, arrives via email. Can also show up as a false positive in incomplete temporary zip files, as it's an exploit detection.
The disturbing part of this story is two-fold: first, just being connected to the internet and using email or doing some web browsing (especially if you do image searches) is likely to expose you to this darker side of computing. Second, a number of these pieces of malware point to people becoming exposed to (not infected by) malware by visiting trusted web sites.
While this is old news, most of us, if we are completely honest, will admit to not behaving as if we know these two things -- we implicitly trust content that could be harmful to our computers.
Since the attackers can update the malicious payloads at any time, we never know when our computers may be successfully compromised by a zero day malware attack.
There are a few things you can do to mitigate these risks on any computer:
Most of these suggestions can be done once, or set up and automated (like updating software). The rest are fairly easy work flow habits that will not only keep you away from many malware headaches, but will also often clean up clutter and recover disk space you didn't know you were missing on your computer.
If nothing else, make a pledge to try for a week. For most, the benefits will significantly outweigh the inconveniences.Follow @SophosLabs