The Host that Overlooked the Parasite

The malware economy is always evolving and always looking out for better ways to make maximum utilization of minimal resources. Storing malicious files for retrieval at a later period, for example, was done on already infected web servers. But that meant that the malware authors were at the mercy of the system administrator monitoring that server. The moment the infected files were identified, the server hosting the malicious files would go down and the malware life cycle would thus come to an end.

The successful businessmen that they are during these harsh economic times, the malware authors then decided to include file hosting services in their arsenal. A file hosting service, as you might know, provides online storage of files. Radpishare, Megaupload, Filesonic etc. are all examples of such a service. This shift enabled the malware authors to pass on the bandwidth and disk storage cost to these sites. In addition, the reputation associated with these sites not only meant that the chances of the malicious files now being identified & reported became low, but also that the naive users were more likely to execute these malicious files, thereby increasing the malware’s time to live.

The file hosting services then brought in some checks, whereby, premium users of these sites could download files instantly at unrestricted download speeds, but regular users experienced delayed starts of downloads and restricted downloads speeds. Although unintentional, this served as a security feature in that the users were forced to look at the website before he/she could download the file. Given below is a screenshot of the countdown timer that is displayed to a regular user while downloading a file for free:

However, the opportunistic malware authors have managed to circumvent this check. This allows them to fetch the malicious files onto their victim’s machine without any user interaction whatsoever. Given below is an example of such malicious URLs which when clicked will download the file without displaying the initial countdown screen:

http://dl.dropbox.com/u/12138956/java%5BRemoved%5D.exe
https://rs533l33.rapidshare.com/files/3874050200/facebook_%5BRemoved%5Djpeg.exe
http://uppit.com/p19geeksdu4c/Premium%5BRemoved%5D.exe
http://filesonic.com/file/65464647/Profesor%5BRemoved%5D.exe

While most of these hosting services have a system in place where unlawful contents can be reported, design flaws such as these might go unnoticed. At K7TCL, we strongly urge these file hosting services to identify and fix such design flaws in their site as soon as possible. We also suggest that they run an anti-virus solution to detect such malicious files, since their apparent laxness in this regard is helping the bad guys deliver their malware.

K7computing Security Blog

About k7press

Antivirus Vendor - distributor for United Kingdom and Republic of Ireland

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s