Threats from a Trusted Site
The number of reports of “Downloader” has been increasing in recent years. Downloader is a small program that downloads another malware or security risk from the Internet. In order to protect your computer from these Downloader programs, we recommend using an updated antivirus product, controlling Internet access for each desktop program, and filtering entrusted domains (by URL or IP address) with a firewall. However, when users or network administrators need to determine which Internet resources are trusted or not, it can become difficult.
In many cases, Downloader will attempt to download other programs from a cheaply run (or even free) Web hosting service. Since domain registration is fairly simple to do and not that expensive, attackers will try to create an attractive Web site using their own domain name in order to gain the trust of visitors to the site. For example, the Trojan.Emcodec families and Downloader.Browsilla are distributed from their own Web sites that masquerade as respectable sites. If one of these sites becomes notorious for some reason, the attacker will simply register a new domain name and create another site at a very small cost.
Unfortunately, there’s no easy way to determine what a trusted Internet resource is, but there are a couple of things you can do to protect your system. First, a user or administrator should allow only trusted programs to access trusted Internet resources. Second, Web site administrators should verify the Web server security settings are up to date, and confirm the list of Web server contents periodically. Any unknown file should be removed as soon as possible. Even if the file has non-executable file extension (such as .jpg, .gif, or .swf) it should not be trusted. A common technique of Downloader is to change a file’s extension to .exe after downloading it to a compromised computer. Another common technique is encryption; the W32.Detnat families try to download an encrypted version of Infostealer.Lineage, decrypt it, and execute it. The encrypted file can be deceiving to administrators because it does not appear to be an executable file.
The Symantec Security Response team has also received some reports of a version of Downloader that downloads malware from hijacked corporate or government Web sites. In actual fact, several foreign government Web sites hosted a variant of Infostealer.Bancos that was downloaded by Downloader.Bancos. Since corporate or government Web sites are generally considered to be trustworthy, an attacker may search through vulnerable Web sites and try to place malware on them, in order to run Downloader on the compromised site. How many people would suspect that a government site is hosting malware? I don’t think many of us would suspect it, which highlights the need to raise our awareness of malicious code. Please be careful when it comes to enabling your computer to access to the Internet; you should try to implement all of the steps I’ve listed in the opening paragraph of this blog. Following these guidelines will go a long way to ensuring you have secure and safe access to the Internet.