Student surprise: Malware masked as textbooks and essays

September 2, 2019

It is far too easy to pick up nasty stuff when you try to download popular TV shows or game cheats. However, cybercriminals do not limit themselves to tainting entertainment; you can also stumble upon a virus when looking for work- or study-related materials. This is particularly important to keep in mind as the academic year starts, because the cost of textbooks and other materials for K–12 and college students often leads to many looking for more affordable and free alternatives online.

Download an essay, get some malware thrown in

Wanting to find out how frequently malicious content is encountered among materials that are posted for free access, we checked how many infections Kaspersky solutions identified in files with school- and student-related filenames. This exercise yielded quite a few results!

As it turns out, over the past academic year, cybercriminals targeting the field of education tried to attack our users more than 356,000 times. Of these, 233,000 cases involved malicious essays downloaded to computers owned by more than 74,000 people. Our solutions blocked them, of course.

About another third of the files were textbooks. We detected 122,000 attacks by malware disguised as textbooks. More than 30,000 users tried to open those files.

English textbooks were the most common malware hiding place K–12 students encountered, with 2,080 attempted downloads. Math textbooks were the next most common, nearly infecting the computers of 1,213 students. Literature closes out the top three most dangerous subjects, with 870 potential victims in our study group.

Criminals also targeted less-popular subjects. We have come across malware masquerading as textbooks in the natural sciences (18 users tried to download these) and in less commonly taught foreign languages at both the K-12 and college levels.

Which types of malware are disguised as textbooks and essays?

If in your search for study materials you find yourself on an unscrupulous website and try to download something, you risk encountering just about any type of malware. However, certain types of threats are distributed in this way more than others. Here are the four malware types most frequently distributed as study materials.

4th place: MediaGet torrent application downloader

Sites peppered with enticing Free Download buttons often foist the MediaGet downloader on users instead of the files they were looking for. The downloader is the most innocuous of the nasty surprises that await students who are searching for educational resources. This downloader will retrieve a torrent client that the user does not need.

3rd place: WinLNK.Agent.gen downloader

Hiding malware inside ZIP or RAR archives is a popular technique that makes the threats harder to detect. Such is the case with the WinLNK.Agent.gen downloader. The archive contains a shortcut to a text file, which not only opens the document itself, but also launches the attached malware components.

They, in turn, can download more malware to the device. Typically, the additional downloads are malicious cryptomining programs that mine cryptocurrency for their owners. As a result, the computer and Internet connection speed will suffer, and the victim’s electricity bill may go up. Adware could also flood the computer with ads. In addition, this malware can download more dangerous programs.

2nd place: Win32.Agent.ifdx malware downloader

Another downloader often disguised as a textbook or an essay is called Win32.Agent.ifdx. Although it appears to be a DOC, DOCX, or PDF document, with the corresponding icon, it is in fact a program. Moreover, when it is launched it also opens a text file so that the victim does not realize anything suspicious is going on. However, its main task is to download all sorts of bad things onto the victim’s computer.

Recently, this type of malware has shown a tendency to download various cryptominers. It is worth remembering that the priorities of malware distributors can change. Nothing prevents them from modifying the malware to download spyware, banking Trojans that steal data from cards and accounts at online banks and stores, or even ransomware instead of cryptocurrency miners.

1st place: School spamming using the Stalk worm

Spammers also distribute malicious textbooks and essays. Spam is the preferred means by which Worm.Win32 Stalk.a is spread, for example. This worm has been around for quite a while, and we thought that it had fallen out of use. To our surprise, not only is it still being used, but it is also the “educational” malware with the greatest number of victims.

Once on a computer, Stalk penetrates all devices that are connected to it. For example, it can infect other computers on the local network or a USB flash drive containing the educational materials. This is a very insidious step, because then, if the recipient prints the essay using school or university resources from a flash drive, the worm will make its way onto the institution’s network.

There’s more. To infect as many systems as possible, Stalk tries to e-mail itself to the victim’s contacts. With the messages coming from the victim’s account, fellow students and classmates are likely to open the attached malicious application.

Stalk is dangerous not only because of its ability to spread itself over a local network and by e-mail, but also because it can download other malicious applications to the infected device, and copy and send files from victims’ computers to the malware owners.

The Stalk worm is still able to thrive largely because educational institutions in general, and their printer systems in particular, often use hopelessly outdated versions of operating systems and other software. This allows the worm to continue to spread.

How to protect yourself from malicious fake textbooks and essays

You can stay safe and avoid the problem entirely by finding textbooks in physical or online libraries, but general safe downloading advice applies for avoiding infection:

  • Pay careful attention to what type of site is hosting the textbook you want to download. Do not visit dubious resources that are full of flashing Download buttons or that require you to install a downloader first.
  • Do not use outdated versions of operating systems and other software. Make sure that you install any software updates in a timely fashion.
  • Be critical of e-mail attachments, including ones that are sent from acquaintances. If a friend suddenly sends you an essay that you did not ask for, that is reason for suspicion.
  • Pay attention to the extensions of the files that you are downloading. If you downloaded an EXE file instead of a document, do not open it.
  • Use a reliable computer security solution. For example, Kaspersky Internet Security recognizes and blocks not only the threats described in this post, but also many others.