19 Dec, 2008
Cybercriminals finding new ways to spread malware on corporate networks
For most malware authors, deriving profit from cybercrime is a simple numbers game. The more machines infected with malware that join a botnet, steal data via keyloggers or send spam, the more profitable the operation.
As a result, malware authors are always looking for new vectors for infecting victims. Although today’s vector of choice remains web browser exploits via compromised sites, this is self-limiting in the sense that the pool of people willing or able to visit a compromised site is somewhat small. When you consider that many malware infected machines are located in a network with other machines close by, compromising the local network is another way to quickly spread the infection. This behavior isn’t new – it goes back to the Morris Worm in 1988 and continued with Code Red and others in more recent times. New malware we’ve seen in 2008 such as Conficker, Gimmiv and Agent.BTZ looks for local hosts or network shares that can be compromised.
One of the original drivers behind network access control was the driving need to stop the spread of this type of network aware worm. The recent malware Trojan.Flush.M is an example that expands upon the network based attacks seen with a trojan like Conficker or Gimmiv to potentially compromise an entire network. Trojan.Flush.M does this by using a rogue DHCP server as a mechanism to change local domain name settings in a new spin on what is traditionally known as a pharming attack.
