If you are a frequent reader of this blog, it is not news to you that malware authors are moving away from a quest for fame toward profit driven operations. Malware authors and controllers are moving to a free market organization where each group has a very precise area of expertise and "outsource" other tasks to other groups.
An example of this business structure are the malware affiliation programs that seem to gainin popularity. Some malware gangs have removed infections from their malicious operations and now rely on other groups to install their creations on victim computers. A typical scenario goes as follow:
We came across such a site with tens of different malicious samples this week. In this case, the malicious code tries to exploit five different vulnerabilities present in Internet Explorer or its ActiveX components. The first stage downloader sits on the infected computer for a couple of seconds before downloading and installing nine different malware including adware, worms, and viruses. This attack is far from being subtle; an infected computer becomes almost unusable within minutes after infection since the malicious programs eats up all the system’s resources. The malicious server is presently hosted in Russia and is still serving malware. The following malware have been detected on the server:
As usual, our recommendations to users are to update any installed software, including ActiveX components. For webmasters, we strongly recommend monitoring web pages to quickly identify malicious content for removal and thus protect your visitors.