The article "Modern Internet attacks" is provided by Sophos Plc and SophosLabs.

August 2007

The success of a particular malware depends on the number of factors. These include propagation methods and impact objects, the order of execution, the speed of propagation, and how success of a particular sample in avoiding detection. The first two factors are connected to the propagation and implementation of the threat. They are probably the most significant factors of the attack's success. The success of the most well-known threats is often determined by their delivery mechanism. Numerous viruses and worms distributed in mass mailings caused considerable damage as they spread exceptionally fast and wide using SMTP [1,2]. Threats related to email are relevant for the Internet users up to now. SMTP protocol is still regularly used for sending Trojans in massive spam mailings [3]. CodeRed [4], which caused huge damage, became the first notable "non-file" worm under Windows. It was distributed using the vulnerability in the Microsoft IIS service. The SQLSlam [5] worm took the concept of "rapid spread" to a new level: according to estimates, 100 to 200 thousand computers were infected during the first few minutes of its distribution [6]. The impact of the SQLSlam on traffic was felt almost everywhere. It was reported that several root name servers on the Internet were unavailable for some time [7].

Often, email threats use social engineering techniques to force the recipient to launch a malicious attachment. As it became common to block all executable content on mail servers, whether it is harmful or not, the creators of such threats started using files in archives, often protected by passwords [8].

Regardless of the delivery method, the attackers seek to create a malware that launches without any actions from the user. The most common way to achieve this goal is to use a vulnerability of an application [9] or the operating system [10] to obtain rights for execution. This tactic was used by numerous families of network worms that infected network computers using various vulnerabilities [11]. As it is said in this document, this method (so-called exploits) is especially characteristic for the Internet attacks. Using vulnerabilities in client browsers allows malicious programs to execute code even if the user just opened a malicious page. Such attacks are often called "drive-by download" [1 2].