Malware: here are the most used software as Trojans

One of the hackers’ favorite techniques for letting the user’s guard down and breaking into their machine is to disguise malware to give it the appearance of a referenced and reliable program. In a report released yesterday, the cybersecurity firm VirusTotal unveiled its ranking of the software whose identity is most often impersonated in this way. And as you might expect, the list is full of very well-known and yet perfectly reliable names when uploaded to the right place.

The first step of the podium is quite surprising; she is occupied by Skype. It is a program that was once essential, but which is only a shadow of itself today; this is all the more true since the pandemic has completely reshuffled the cards in the world of online communication.

However, it is still and always the most used software as a Trojan horse by hackers. It overtakes two other much more common software by a short head in 2022. The second place goes to Adobe Acrobat, one of the reference tools for editing files in .pdf format. This is the famous site cone of the French media player VLCalso very popular, which completes this top 3.

The authors of the report also cite other well-known names. There are utilities such as 7-Zip Where CCleaner. Communication applications are not left out; without surprise, Zoom, Team Viewer and WhatsApp are also often hijacked by hackers. Same observation for web browsers (Chromium, Brave, firefox…) and even antimalware solutions like MalwareByte.

The list also includes some more surprising names, such as… Internet Explorer. Are there really users who are actively looking to download this browser once integrated by default into Windows and now rendered obsolete by Edge and the competition? It would seem so, but there is something to be perplexed about.

Identity theft still just as effective

According to VirusTotal, if this technique works so well, it is largely thanks to the icon of the executable file. If it is a known pictogram, then the user will necessarily be less vigilant as to the origin of the file.

Moreover, the latter does not necessarily constitute a guarantee. The authors explain that “0.1% of legitimate hosts of popular applications have distributed malware” in the past. This figure might seem insignificant, but it ultimately represents anything but negligible traffic.

Because in these cases, the attack can be particularly vicious; it can, for example, take the form of a malicious code snippet inserted into a completely legitimate update by a hacker who has entered the servers in question.

The report also explicitly targets Discord, a popular communication software for the gaming community. It apparently has several vulnerabilities in its Content Delivery Network (CDN), a group of servers that allows data to be transferred and synchronized quickly and at scale. The specialized site HackerNews defines this platform as a “ fertile ground for harboring malware “.

The user remains the first antivirus

Moral of the story: the first line of defense will always be the user behind the keyboard. It is therefore essential to be very vigilant when installing software, even when it enjoys an excellent reputation.

This involves strict verification of the origin of the file; whenever possible, always download the software directly from the publisher’s website, and never a version rehosted by a third party.

Some publishers also offer checksums or hashfiles. Without going into detail, these are sorts of digital signatures that the user can compare to that of a downloaded file; it’s not an absolute guarantee, but if they match, there’s a good chance the file hasn’t been tampered with.

If in doubt, you can also choose to open the program in question in a virtualized environment, for example with a VirtualBox machine or using Sandboxie, a small utility that we recently told you about in our selection of Windows tools (see our case).

The full report is available at this address.