14 DAY TRIAL // Microsoft help files (CHM) are currently used by cybercriminals to deliver malware to users in a manner that could go completely undetected by antivirus products, security researchers warn.
This type of files can be run on Windows operating systems from Vista to 8.1 and are used to encase documentation and user manuals for software products. They consist of HTML pages that are compiled in a binary for easy deployment.
Malware masquerades as Putty
Security researchers from Bitdefender first noticed the new infection method in March, cybercriminals delivering the CryptoWall ransomware that encrypts data on the computer.
On Tuesday, researchers from Check Point announced that crooks were still using CHM files to infect computers and that the method could be used to fool current antivirus engines.
“Microsoft has not yet developed a patch to block this exploit method. As a result, it is still being used by attackers who can remain FUD (Fully Undetected) by current Anti-Virus engines,” they say in a blog post.
When the user launches an infected help file, a request for downloading and executing the malware piece is initiated. In the samples caught by Bitdefender and Check Point, the payload has the name of the popular Telnet and SSH client Putty, probably in an attempt to keep the alarm bells silent.
Malware is distributed via email and social networks
Upon analyzing the sample, Check Point determined that the payload was detected by a small number of antivirus engines (three out of 35).
However, they say that a sample completely invisible to the security products can be crafted, making the attack method highly dangerous.
One of the most prevalent methods for spreading malware is via email and this campaign makes no exception, but it also relies on social media communication channels.
Attackers can craft believable messages promoting versions or popular programs whose documentation files have been compromised.
In most cases, portable software that needs no installation is delivered in an archive, with easy access to the help file.