Symantec sees surge in morphing malware and JavaScript abuse

A new social engineering technique fools users into thinking they've received a legitimate file from an office printer

Proving that most malicious hackers are more than happy to employ time-tested tactics instead of developing sophisticated new techniques and tools, Symantec has reported a huge spike in generic polymorphic malware (malware that changes shape to bypass detection) spread via good old fashioned socially engineered email messages.

That's not to say that the bad guys aren't innovating at all: "Symantec's Intelligence Report: September 2011" (PDF) noted a new social engineering twist to get users to download dangerous attachments: convincingly masking malicious emails as legitimate messages sent from office printers. The security company also has witnessed more spammers and malware authors using JavaScript to hide their activities.

Generic polymorphic malware variants accounted for 72 percent of all email-borne malware in September, compared with 18.5 percent in August and 23.7 percent in July. "This unprecedented high-water mark underlines the nature by which cyber criminals have escalated their assault on businesses in 2011, fully exploiting the weaknesses of more traditional security countermeasures," wrote Paul Wood, senior intelligence analyst at Symantec.

The challenge for cyber criminals is to dupe victims into downloading and opening dangerous attachments. One new approach entails fooling users into thinking they've received an attachment sent from an office printer that has a scan-to-email capability; this feature enables users to send scanned files directly from a printer to a specified email addresses.

To pull off this dupe, hackers send users malicious emails with Subject lines stating "Scan from" followed by the convincing-looking office-printer information. The message itself contains additional fake details about the so-called scanned file, including a sender's name, the number of pages, the type of file, a device number, and possibly the printer's location in an office.

Symantec sees surge in morphing malware and JavaScript abuse

This is all intended to lull targets into a sense of security such that they'll download the attached file, which turns out to be a zip file with a malicious executable.

"To be clear, office printers and scanners will not send malware-laden files, and many are unlikely to be able to send scanned documents as zip file attachments. No printer or scanner hardware was involved in the distribution process," wrote Bhaskar Krishnappa, malware analyst at Symantec.

Additionally, Symantec reported that spammers and malware authors are increasingly using JavaScript to do their dirty deeds. And they're not just using the language to covertly redirect users to malicious sites; they're using JavaScript to obfuscate entire Web pages. Doing so enables spammers and malware authors to set up their obfuscated pages on free hosting sites without site operators realizing it.

Symantec's September Intelligence Report also covers a vulnerability in the WordPress platform, which spammers are exploiting to compromise Web servers and hide files deep with the WordPress directory structure. The files are basic HTML pages, according to Symantec, that redirects users to the Canadian Health & Care Mall spam website. WordPress-hosted blogs aren't affected by these vulnerabilities, according to the report; only older versions of software downloaded from WordPress.org.

Other findings in Symantec's report include:

  • Spam rates dipped to 74.8 percent in September, a 1.1 percent drop since August
  • One in 447.9 emails were actually phishing attempts, marking a 0.26 percent drop month over month
  • One in 188.7 emails in September contained malware, an increase of 0.04 percent
  • The number of malicious websites blocked daily rose 1 percent since last month, up to 3,474
  • 44.6 percent of all malicious domains blocked in September were new, up 10 percent since August
  • 14.5 percent of all Web-based malware blocked in September was new, down 2.9 percent since last month

This story, "Symantec sees surge in morphing malware and JavaScript abuse," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies