Rapidshare & Co in the sights of the malware-mafia

Cyber criminals are increasingly using legal file hosters as infection channels.

06/06/2009 | Bochum 

Within the last week, G Data has recorded a sudden jump in infected files originating from so-called one-click hosts. According to this concept, the criminals are building on the growing popularity of legal services, such as the well know provider, Rapidshare. The perpetrators create links to infected files in Internet forums and social networking platforms.


The main offering is free tools. Through using this method, the perpetrators successfully avoid reputation-based URL-filters which place websites on white or black lists dependent on their "good reputation". The abused file-hosting services are not on these so-called black lists and consequently are not blocked. The saved files primarily consist of free tools. The range of malware discovered is surprisingly extensive: backdoors, sniffers and downloaders are all represented, as are diverse Trojan horses or the worm, Koobface.

Ralf Benzmüller, manager of G Data Security Labs, summarises:
"It is not only Rapidshare that is affected. Also other file hosting services, such as mediafire.com, uploaded.to and uploading.com, have been taken advantage of to spread malware. Often these files are promoted as the latest versions of software, the latest tools or cracked software. Would-be bargain hunters are particularly at risk here. In general Internet users should not be lured into a false sense of security - even when the source is a well-known one-click hosting service."

Recruitment of reputation-based URL filters
The motivation for spreading malware via file-hosting providers, must be considered both from a technical as well as an economic point of view:

1. As the upload of harmful content is mostly anonymous, and the hosters have more than adequately dimensioned servers and line capacities, such platforms offer an uncomplicated, yet still highly effective way of distributing malware.

2. As "tailgaters" the perpetrators of this methodology creep underneath so-called reputation-based URL filters. These are based on "black lists", which rely on the "reputation" of certain websites. Among many of these filters, large popular websites are not incorporated in blocked-lists precisely because of their enormous popularity.

Background information about one-click hosters
So-called one-click hosters have been very popular for some considerable time as they permit the simple exchange of large data quantities. Numerous providers of file or one-click hosting services permit the anonymous and free provision of large data volumes. Using such services it is quick and easy to place files on the provider's servers, often without even having to register. These files then remain available for download for a specified time via an individual link. Cyber criminals have now caught-up with this trend and are using Rapidshare and Co. to distribute their harmful software.


Thorsten Urbanski