Finding the Weak Points
To gain a foothold on your computer and in your corporate network, malware exploits weak points, or vulnerabilities, in widely used technologies. The myriad rapidly developing applications that make up the Web provide a wealth of vulnerabilities for online criminals to exploit.
The Web is made up of billions of pages created by different people with different levels of technical skills, offering rich content in many different formats. Accessing some of this content requires helper applications, such as media players. Many different types of back-end software serve up these webpages and content. And many of those formats, applications, and tools have weaknesses hackers can exploit.
Hackers also can exploit the Web's core infrastructure and basic standards. Many of the standards and much of the infrastructure the Web runs on were designed long before anyone thought of today's amazingly wide-ranging uses of the Web. For example, e-commerce, online banking, online social networking, and enterprise-level cloud-based computing are all common on the Web today. Ideally, you want to feel secure while engaging in those activities. But in the early days, decisions about the Internet and Web's standards and infrastructure heavily emphasized improving connectivity and access to content rather than walling off content in easily securable chunks. So, underlying infrastructure vulnerabilities, along with vulnerabilities in higher-level applications, remain a concern.
Hackers use these vulnerabilities to create exploits that let them penetrate your computer or network. Often, when you visit an infected webpage or open an infected email, the attack code starts snooping around for any known weaknesses in your system.
The malware found on a malicious website—such as one involved in an iFrame attack—begins a series of probes, looking for unpatched weaknesses in your browser, the myriad browser plug-ins you might have installed, your operating system, or any applications you might have running.
The level of sophistication is remarkable in that the malware sites can actually identify the particulars of your computer and operating system and infect or attack the system appropriately. For instance, if you run Safari as your browser, the malware sites won't bother trying any known Internet Explorer vulnerabilities. Instead, they focus on Safari or Safari plug-in weaknesses.
When a useful vulnerability is found, the goal of the malware attack is to create a buffer overflow condition in your computer. This then gives the malware the capability to initiate the download of harmful code—the keyloggers, botnet software, spyware ad generators, or other malware previously discussed.
Malware doesn't only exploit vulnerabilities in technologies. Malware creators and distributors also take advantage of "weaknesses" in human nature, such as curiosity, trust, desire for connection, and carelessness, to dupe users into handing over the keys to their system security.