New attack binds malware in parallel to software downloads

http://threatpost.com/new-attack-binds-malware-in-parallel-to-software-downloads

 

I didn't understand the article, can someone explain?

 

In short: you try to download installer for an app. Attacker controlling one of the nodes inject some code into HTTP download so you get slightly modified installer. When you run "infected" installer malware installs first (without you knowing it) and then legit app (for which you downloaded installer) gets installed also. You never know that there was malware embeded in installer and that malware was installed before legit installation took place.

 

OK interesting, so perhaps an idea to never put your HIPS in "trust mode", and keep monitoring ALL apps for suspicious behavior.

 

Yes. You can also use https for all downloads (if possible) and compare binary checksum with one provided by vendor or developer.