Malware in rich media and content

Cybercriminals most commonly used PDF and Shockwave Flash rich-media formats during the first half of 2009.

In their State of the Internet 2009 report, CA discusses how exploited PDFs were first used for targeted attacks and adopted by organized cybercriminals for massive distribution of malware infection. These attackers implemented server-side automation to evade security scanner detection, and as a result, a malicious server generates a new file per request.

Attackers also misused Shockwave Flash files to take advantage of the ActionScript feature to perform malicious activity on a user’s system. Both the PDF and Flash threats belong to the ActnS/Swif family.

Trojanized media files such as Windows Media Video and MP3 (which CA products detect as ASF/Wimad) were an-other prevalent infection in the first six months of 2009. A threat detected as Win32/GetCodec discovered last year has a very notable capability: It searches for media files on the user’s local and shared directories and modifies the system to invoke the user’s default browser into opening a malicious Web site. CA ISBU also discovered trojanized media files being shared through media-sharing sites and communities, reaching more target users.

Malicious image files such as GIF and JPEG are becoming notable malware distribution vectors, attempting to establish user trust via known file formats. The Windows shortcut LNK file was also spotted misusing legitimate features to connect and download malware.

Microsoft Office files were also on attackers’ lists. Office files were crafted to take advantage of zero-day and known vulnerabilities and used for targeted attacks. CA ISBU detects this family of threats as PPT97/PPDropper, X97M/EXEDropper, W97M/ExeDrop for PowerPoint, Excel and Word files, respectively. Attackers’ focus on targets of choice is particularly lucrative when the target is high value – say a high-ranking government official or business executive.