E-mail Attachments: Losing Luster Among Black Hats?

E-mail attachments are no longer used as frequently as before to infect PCs with malicious software, according to a report released Tuesday by malware fighter Sophos, of Burlington, Mass.

The monthly report reveals that in August, on average, one in every 1,000 e-mails had an infected attachment. That compares with one in 322 for the first six months of this year and one in 47 e-mails 18 months ago.

“[The use of] E-mail attachments, as a form of distributing malware, has become less effective and therefore is used less often,” Sophos Senior Security Analyst Ron O’Brien told the E-Commerce Times.

“It seems that the general public has become aware that clicking on an attachment from an unknown source is not a safe thing to do,” he added. “As a result, the malware writers and distributors have had to make changes in the way they distribute malware.”

Better Blockers

Another factor blunting the effectiveness of attachments has been improvements in e-mail programs, contended Zulfikar Ramzan, a senior principle researcher at PC security software maker Symantec in Cupertino, Calif.

“Many e-mail programs have basic protections built-in to block attachments that are executable files,” he told the E-Commerce Times.

Earlier this year, there was a renewed interest in attachments as malware delivery vehicles when black hat hackers discovered that attachments in the Adobe PDF format — a widespread format for distributing documents — were being ignored by some spam filtering systems, observed Joe Stewart, a senior security researcher at Atlanta-based SecureWorks, a provider of managed security services.

“The antispammers caught up to that and are treating PDFs just like any other image spam,” he told the E-Commerce Times.

Recycling a Bad Idea

However, he said, the concept behind the PDF ruse — that certain trusted file formats will be given a green light by some antispam systems — continues to be used by malware-men.

“They were experimenting briefly with Excel formats and with FDF (Forms Data Format), a form format which is also readable by Adobe Acrobat,” he noted.

“It’s really a testament to how effective filters have become in blocking a lot of this stuff that [the hackers] have to work so hard to get around them,” he added.

Infected Web Sites

Thwarted on the attachment front, spammers have turned to other techniques like embedding in e-mails links to Web sites designed to infect users who view them.

“A series of large-scale attacks have been made via spam e-mail, directing users to infected Web pages with the promise of e-cards, pictures of nude celebrities, YouTube movies and pop music videos,” the Sophos report says.

“People visiting these sites are running the risk of having their PCs infected by malicious code, which can then steal personal information, spam out more malware and junk e-mail, or launch distributed denial of service attacks against innocent parties,” it continues.

It adds that the number of infected pages on the Web continued to grow in August, but at a slower rate than in July. Sophos detected an average of 5,000 new infected Web pages a day in August, compared to 6,000 a day in July.

Drive-By Infections

“In some cases, these Web sites will try to take advantage of a vulnerability in your browser to have malicious code installed on your machine without you realizing it,” explained Ramzan, of Symantec.

However, SecureWorks’ Stewart maintained that infected Web sites are losing their effectiveness, too.

“There’s a black hole list that as soon as the spammers publish one of these URLs inside a spam message, it quickly gets blacklisted,” he explained.

“Those blacklists,” he continued, “are used by the major antispam products, so just having that URL in you message is enough to get you blocked in a lot of places.”

US Loses Lead

The top three countries hosting malware-infected pages remained unchanged in August from the previous month, although China unseated the United States in the No. 1 spot, according to the Sophos report. Russia remained in third place.

The Ukraine’s share of infected pages jumped substantially over the period, from 1.2 percent in July to 7.7 percent in August.

The Netherlands and Italy were newcomers to the top 10 ranks in infected pages during the period.

“Some 80 percent of the sites hosting malicious content are legitimate sites,” said O’Brien, of Sophos. “They’re sites whose security has become compromised, so they can be safe one time you visit them and not another.”