You practice safe computing, so why do you still see malware?

Filed Under: Adobe Flash, Apple, Featured, Java, Malware, SophosLabs, Vulnerability

Virus warningQuite regularly, I get feedback from our customers that they've found malware on their computer, and don't know how it got there.

While you may think this is due to malware exploiting unpatched bugs in the Windows operating system, it isn't: these customers are predominantly using OS X, and they usually have all the latest patches applied. However, the malware they're finding is indeed often for MS Windows operating systems.

So are they infected? How did it happen? How COULD it happen?

The real story is both simple and a bit disturbing: our scanners are detecting these files in a few key locations: the email cache folder, email attachments folder, web cache folder, web downloads folder, and the Java web cache folder. See a pattern here?

These people are victims of drive-by downloads and malicious spam campaigns. Without visiting any shady parts of the internet, they have managed to pick up a collection of malware that, if successfully run, would likely result in their computer becoming part of a botnet.

Now, seeing that most of the software won't run under their current configuration, this isn't as much of an issue... but that assumption only lasts as long as their configuration isn't being targeted.

Here is a sampling of what Mac users are currently seeing scattered across their cache and download folders:

Via web:

    Troj/Gida-A: drive-by Adobe Flash download that downloads and installs botnet software

    Exp/MS04-028: drive-by JPEG download (can also show up as a false positive in partial jpeg images as it's an exploit detection) that can execute privileged code on un-patched Windows computers

    Mal/JavaDldr-B: drive-by Java download that downloads and installs more malware

    Mal/Iframe-AA: drive-by JavaScript in hidden IFrame that redirects the user to a page that detects what their system is vulnerable to, and attempts to exploit those specific vulnerabilities with the aim that the target joins a botnet

    Mal/Iframe-AD: drive-by malicious HTML IFrame used in SEO-poisoned search results (often image searches)

Via email:

    Troj/Invo-Zip: Zeus botnet-generated, arrives via email. Can also show up as a false positive in incomplete temporary zip files, as it's an exploit detection.

Google Image searchThe disturbing part of this story is two-fold: first, just being connected to the internet and using email or doing some web browsing (especially if you do image searches) is likely to expose you to this darker side of computing. Second, a number of these pieces of malware point to people becoming exposed to (not infected by) malware by visiting trusted web sites.

While this is old news, most of us, if we are completely honest, will admit to not behaving as if we know these two things -- we implicitly trust content that could be harmful to our computers.

Since the attackers can update the malicious payloads at any time, we never know when our computers may be successfully compromised by a zero day malware attack.

There are a few things you can do to mitigate these risks on any computer:

  • Keep your computer up to date with the latest security patches.
  • Delete email with dodgy-looking content or attachments immediately.
  • View email as plain text whenever possible. Keep Javascript, Flash, and preview features disabled.
  • Maintain your downloads folder. Go through it at the end of each session and throw out what you don't need to keep. Move the rest of the contents to somewhere that makes sense on your computer.
  • Keep Flash, Java and JavaScript disabled in your web browser, except for sites that really need it.
  • Keep Flash, Java and JavaScript disabled in your PDF viewer as well, except for documents that really need it.
  • Use an up-to-date computer security package. If you don't keep active scanning enabled for your computer (speed reasons, conflicts, etc), at least configure the software to scan any new content that arrives via email or shows up in your Downlaods folder.
  • Purge your caches from time to time -- the simplest way to do this is often to reboot your computer. Email programs often give you the option to "rebuild archive" or "update database", or sometimes to purge caches. Web browsers usually allow you to purge the caches manually as well, and often let you automatically purge them when you exit your browser.

    Windows automatic updatesMost of these suggestions can be done once, or set up and automated (like updating software). The rest are fairly easy work flow habits that will not only keep you away from many malware headaches, but will also often clean up clutter and recover disk space you didn't know you were missing on your computer.

    If nothing else, make a pledge to try for a week. For most, the benefits will significantly outweigh the inconveniences.

  • , , , , , , , , , ,

    You might like

    12 Responses to You practice safe computing, so why do you still see malware?

    1. Amethystkorn · 1384 days ago

      This is why I use Ccleaner...I still manually go thru and check certain places for things ccleaner might have missed but it definitely helps get rid of everything I don't need

    2. Seek Media Group · 1384 days ago

      Is it true that one can get virus/malware from ads on trusted sites? I'm very cautious but recently got a virus. When I took the computer to the shop, they ended up removing 20 viruses from my computer. 20!! They installed Malware Bytes and Windows Security Essentials and told me that the viruses can come from ads on reputable sites, notably from local news sites.

      There is a particular site that I (used to) visit almost daily & believe to be reputable, but since installing MWB, every time I go to that site MWB box pops up saying it stopped a malicious site. At the bottom of the warning, it says: Type: outgoing...which I didn't really understand since I'd think it was incoming. I'm a little freaked out because I'm also Facebook friends with the site owner and sent him a private message telling him about this, thinking he'd want to be aware. He never responded to the message and now I'm wondering if he's coding things into the site himself? Or maybe he was just embarrassed? Any ideas?

      • Most websites these days contain contect hosted from 3rd party websites. Ads are a perfect example where they are controlled by someone else and if you look at the page source file you will see a different address to the one you are browsing. If that 3rd party becomes compromised then several other sites can also appear to be affected.

        Assuming your computer is up to date and protected the chance of getting a drive by download in this way is quite slim. Most require you to click the ad. My strategy for this is to just never click ads.

        Another good example is Facebook who until recently didnt check the links that the ads were linked to so malicious content could quite easily appear on the page but the attack vector is actually from another site and not Facebook itself.

      • Sizzle69 · 1382 days ago

        It's quite normal that admins never reply back to reports of malware on their sites. When I eventually get a response, it usually ends up in arguments but in the end they usually do something about it (especially after a scan report from virustotal and back up from Sophos support).

        Turn on an adblocker.

    3. Tom Mekeel · 1384 days ago

      This is why I recommend A/V and software firewalls on OS X. Mostly for Windows viruses, but a good software firewall (such as Little Snitch) will alert you to outgoing connections, the key component of a botnet. Just because your OS isn't the target doesn't preclude you in stopping the spread of malware web wide.

    4. TLoN · 1383 days ago

      AdBlockPlus is good too

    5. Manjula MB · 1383 days ago

      Good post. thanks a lot :)

    6. bobshelp · 1382 days ago

      Thanks for this article. Having read it carefully, I checked in my PDF XChange Viewer preferences and found that Javascript was enabled. Hm! Now I have disabled that option, and I'll be prompted for any Javascript actions. Good!

    7. david sands · 1381 days ago

      "Keep Flash, Java and JavaScript disabled in your web browser, except for sites that really need it." - how, please? (I use firefox)

    8. nobody · 1380 days ago

      @david sands

      For firefox, search Add-On (Tools menu on older Firefox versions, pre 4.0) and get Flashblock, Adblock, and NoScript. Those three work excellent.

    9. bello rotimi williams · 1380 days ago

      I am very satisfied with this tutorial on malware: its effections and preventions. Kudos.

    10. joe · 1164 days ago

      how to keep flash,java and java script disabled? someone help me

    Leave a Reply

    Fill in your details below or click an icon to log in: Logo

    You are commenting using your account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s

    About the author

    Andrew Ludgate is a Threat Researcher for SophosLabs Canada. His research areas include Mac, Spam and Data Leakage related threats.