Digital Transactions Authoritative, insightful and timely information for payments professionals
The rising popularity of so-called rich-content files is providing cybercriminals a fertile opportunity to spread malicious software that lets them steal passwords, PINs, and other sensitive information on the Internet, according to a report released on Tuesday. Whereas before viruses, Trojans, and other such malware tended to be found on Web sites set up by fraudsters to infect users' machines, now multimedia files such as PDFs and Flash documents are starting to carry it to unsuspecting victims, says the report from security-software vendor Finjan Inc. The increasing use of PDFs (portable document files) and other rich-content files by consumers and businesses?including the rising instances in which users send and receive such files via e-mail?offers a tempting market to fraudsters looking for a new way to distribute malware. “We're starting to see an increase in the number of infected PDFs,” says Yuval Ben-Itzhak, chief technology officer at San Jose, Calif.-based Finjan. “In cybercrime, it's all about volume.” What's more, nearly all malicious code Finjan detects is now masked by a relatively new technique called “code obfuscation,” making it harder to detect. This technique, which uses various forms of encryption to hide malicious code and confound antivirus programs, now shows up in about 95% of cases of malware, Ben-Itzhak says, compared to around 80% less than two years ago. Making things worse, the obfuscation techniques are acquiring higher and higher levels of sophistication. When first detected in 2005, the masking methods were relatively static, but now they can be dynamically updated so that the version infecting one machine might differ in subtle ways from that infecting another, again making it more difficult for anti-virus or intrusion-prevention programs to detect them. In some cases, Finjan has found code that requires a private key to be deciphered, so that even if a program detects the malware, security officers can't open it. “[Hackers] are trying to use new techniques all the time to evade detection,” Ben-Itzhak says. But it is the ability to spread malware more readily through PDFs, Flash applications, and other rich-content files that may prove the most alarming development yet. Fraudsters are taking advantage of the JavaScipt embedded in PDFs to stage their attacks, Finjan says in its report. JavaScript allows PDFs to be customized and manipulated, but it also provides what the report calls a “platform” for cybercriminals to plant malware. “Obviously, crimeware authors became aware of this new capability for distributing malicious code and took the necessary steps to protect their 'bread-and-butter' from being detected by security vendors,” says the report. The report says obfuscated malware embedded in a PDF that Finjan submitted to Virus Total, an online service that scans documents for malicious code, was detected by only 10% of security vendors. When re-submitted with the malware unmasked, the detection rate doubled to 20%.
