Student surprise: malware masked as textbooks and essays

We have written on numerous occasions about how easy it is to inadvertently pick up some nasty stuff when you try to download popular TV shows or game cheats. However, cybercriminals do not just limit themselves to entertainment products. You can also stumble upon a virus when looking for work- or study-related materials. This is particularly important to keep in mind as the academic year starts. That is because the cost of textbooks and other materials for K-12 and college students often leads to many looking for more affordable and free alternatives online.

Download an essay, and get some malware thrown in

We decided to find out how frequently malicious content is encountered among materials that are posted for free access. To do this, we checked how many infections Kaspersky solutions identified in files with school- and student-related filenames. This exercise yielded quite a few results!

As it turns out, over the past academic year, cybercriminals who have been targeting the field of education have tried to attack our users more than 356,000 times in total. Of these, 233,000 cases were malicious essays that were downloaded to computers owned by more than 74,000 people and that our solutions managed to block.

About a third of those files were textbooks: we detected 122,000 attacks by malware that was disguised as textbooks. More than 30,000 users tried to open these files.

English textbooks hiding malware were most popular among K-12 students with 2,080 attempted downloads. Math textbooks were the next most common, nearly infecting the computers of 1,213 students. Literature closes out the top three most dangerous subjects with 870 potential victims.

Criminals also targeted less popular subjects. We have come across malware masquerading as textbooks in the natural sciences (18 users tried to download these) and in less commonly taught foreign languages at both the K-12 and college levels.

Which types of malware are spread under the guise of textbooks and essays?

If in your search for study materials you find yourself on an unscrupulous website and try to download something from there, you risk encountering just about any type of malware. However, certain types of threats are distributed in this way more than others. Here are the four most popular malware types that are the most frequently distributed under the guise of study materials.

4th place: MediaGet torrent application downloader

Sites with textbooks that are littered with enticing ‘Free Download’ buttons often give users the MediaGet downloader instead of the document that they were looking for. This is the most innocuous of surprises that awaits K-12 and college students who are searching for educational resources. This downloader will retrieve a torrent client that the user does not need.

3rd place: WinLNK.Agent.gen downloader

Malware likes to hide in archives, since it is more difficult to detect a threat when it is inside a zip or rar file. This is the technique that is used, for example, by the WinLNK.Agent.gen downloader, which is also easy to pick up when you are looking for textbooks and essays. The archive contains a shortcut to a text file, which not only opens the document itself, but also launches the attached malware components.

They, in turn, can download another infection to the device. As a rule, these are malicious cryptomining programs that mine cryptocurrency for their owners using your device’s resources. As a result, your computer and internet connection speed will suffer, and your electricity bill may go up. Adware could also flood you with ad offers that you can’t refuse. In addition, this malware can download more dangerous programs.

2nd place: Win32.Agent.ifdx malware downloader

There’s another downloader that’s often hidden under the guise of a textbook or an essay seemingly in DOC, DOCX or PDF format. Despite the fact that it pretends to be a document with the corresponding icon, it is in fact a program. Moreover, when it is launched it also opens a text file so that the victim does not realize that anything suspicious is going on. However, its main task is to download all sorts of bad things onto the victim’s computer.

Recently, this type of malware has shown a tendency to download various cryptominers. It is worth remembering that the priorities of malware distributors can change. Nothing prevents them from modifying the malware to download spyware, banking trojans that steal data from cards and accounts at online banks and stores, or even ransomware instead of cryptocurrency miners.

1st place: school spamming using the Stalk worm

You can also get infected without visiting dubious sites. Spammers also distribute malicious textbooks and essays. This is the preferred method by which the Worm.Win32 Stalk.a worm is spread, for example. This worm has been around for quite a while, and we had previously thought that it had fallen out of use. To our surprise, it is not only still being actively used, but it is also the ‘educational’ malware with the greatest number of victims.

Once it makes its way onto a computer, Stalk penetrates all devices that are connected to it. For example, it can infect other computers on the local network or a USB flash drive containing the educational materials. This is a very insidious step, because if you print out the essay using school or university resources via a flash drive, the worm will make its way onto the educational institution network.

However, this malware is not content with just doing this. To infect as many systems as possible, it will try to email itself to your contacts in your name. Fellow students and classmates are very likely to decide that your message is safe and open the attached malicious application.

Naturally, Stalk is dangerous not only because of its ability to spread itself over a local network and by email. The malware can download other malicious applications to the infected device, and also surreptitiously copy and send files from your computer to the malware owners.

One of the main probable reasons why the Stalk worm is still able to thrive is because educational institutions in general, and their printer systems in particular, often use hopelessly outdated versions of operating systems and other software. This allows the worm to continue to spread.

How to protect yourself from malicious ‘textbooks’ and ‘essays’

As you can see, searching for educational materials on the internet can lead to some fairly unpleasant consequences. To avoid infection:

  • If possible, search for the books you need in physical or online libraries
  • Always pay attention to what type of site is hosting the textbook that you want to download. Do not visit dubious resources that are full of flashing ‘download’ buttons or that require you to install a downloader first
  • Do not use outdated versions of operating systems and other software. Make sure that you install any software updates in a timely fashion
  • Be critical of email attachments, including ones that are sent from acquaintances. If a friend suddenly sends you an essay that you did not ask for, then this is a reason for suspicion
  • Pay attention to the extensions of the files that you are downloading. If you download an EXE file instead of a document, then you should not open it
  • Use a reliable computer security solution. For example, Kaspersky Internet Security recognizes not only the threats that were described in this article, but also many others. And it will prevent them from harming your computer