AOH :: ISN-3141.HTM

Targeted Trojan attacks on the rise

Targeted Trojan attacks on the rise
Targeted Trojan attacks on the rise 

By Robert Lemos
15th October 2006

Analysis -- On December 1, 2005, two email messages were sent from a 
computer in Western Australia to members of two different human rights 
organizations. Each email message carried a Microsoft Word document with 
a previously unknown exploit that would take control of the targeted 
person's computer and open up a beachhead into the group's network.

The attack failed, as did a second attempt to infiltrate the same 
human-rights groups a week later, due in no small part to an 
overabundance of caution on the part of email security provider 
MessageLabs, which initially blocked the emails based on the strangeness 
of the Word attachments. The attacks only targeted a single person at 
each organization and, after the two attempts, never repeated.

Such targeted Trojan horse attacks are quickly becoming a large concern 
for corporations, the military and political organizations, said 
MessageLabs security researcher Alex Shipp. The email security provider 
intercepted 298 such attacks between May 2005 and May 2006, and the 
threat of targeted Trojans is only increasing.

"If you haven't noticed these attacks and you are a big company, you 
have likely already been attacked," Shipp told attendees at the Virus 
Bulletin 2006 conference. "Your problem is no longer how do I avoid 
being attacked, but how do I find where I've been compromised."

Targeted Trojan horse attacks are quickly becoming a major issue for the 
antivirus and computer-security industries. Last year, computer 
emergency response groups in the UK, Canada and Australia warned of such 
attacks. While the United States Computer Emergency Readiness Team 
(US-CERT) did not issue a warning, security firms confirmed at the time 
that US government agencies and companies had already been targeted by 
such malicious software.

A major problem for large companies, government agencies and other 
potential targets is that antivirus software is not good at stopping 
low-volume attacks aimed at single companies. Traditional antivirus 
programs detect widespread attacks based on matching to a known pattern 
and do not fare well against low-volume Trojans. And even when they do 
detect such attacks, the larger volume threats are inevitably moved to 
the top of the firms' to-do lists, because they affect a larger number 
of customers, said antivirus industry insiders.

"There is no value whatsoever in having signature-based antivirus when 
facing a targeted attack," said Joshua Corman, host protection architect 
for Internet Security Systems (ISS). "We, the AV industry, haven't 
turned the corner in being able to detect these attacks consistently."

If a company misses the initial attack, the results can be costly, 
Corman said. He pointed to an example of one company, a pharmaceutical 
firm, that got infiltrated by a targeted Trojan attack. The company only 
realized it had been compromised when some valuable data was encrypted 
and the key held for ransom. The company had to pay and, after the 
incident, spent a month cleaning the compromised systems from its 
offices in three countries. Corman would not name the company, which 
became ISS client after the incident.

While MessageLabs might detect tens of thousands of copies of a typical 
mass-mailing computer viruses in a single day, the company is finding, 
at most, ten targeted Trojans a week, Shipp said. According to the data 
collected by MessageLabs, more than half of the 298 attacks detected 
over 12 months consist of a single email sent to a single person at a 
company. In total, 1,344 emails were sent during the period studied by 
Shipp. Military agencies, human rights organizations and pharmaceutical 
companies are some of the types of groups that are being targeted by 
specifically aimed attacks.

The attacks are also very well researched, Shipp said. One targeted 
Trojan was sent to five employees at one company - every single person 
was a member of the firm's research and development team.

"The bad guys have done their homework," Shipp said.

During the 12 months studied by Shipp, the majority of the Trojan horse 
programs, almost 70 per cent, used a malicious Word document as the 
vehicle for the attack. That's already changing, with PowerPoint and 
Excel documents now becoming popular, he said. The one type of document 
that oddly is not being used by attackers is the PDF format of Adobe 

Shipp added that most companies cannot just block the problematic 
attachments, even if they realize the threat.

"In many cases, even if the company is vulnerable, .doc files are their 
lifeblood, so they can't block Word documents," Shipp said.

Most of the attacks come from the Pacific Rim, emanating from Internet 
addresses in mainland China, Hong Kong, Australia and Malaysia. However, 
one IP address that consistently attacks military installations comes 
from a computer in California. Shipp believes that the computer could 
have been compromised as part of a botnet.

In fact, Shipp believes that three major groups are involved. The first 
and largest group is the most active and uses a variety of different 
tactics, but most commonly uses a zero-day exploit in the attack. The 
researcher believes it is also possible that this group could be several 
independent actors. He feels more confident about the other two groups: 
One targets only Hong Kong companies with an attack once every three 
weeks or so, and the other attacks military sites from a computer in 
California about every two weeks.

The attack data underscores an overall trend in threats. While some 
hobbyist virus writers undoubtedly still exist, most malware is now 
written for profit.

"No one other than the kids want to infect a million people anymore," 
said Graham Cluley, senior technology consultant for antivirus firm 
Sophos. "You would rather deal with 50 or 100 systems at a time."

Sophos and other security companies are adopting better versions of 
behavioral blocking software to combat the threat. Traditional 
behavioral blocking stops a program that attempts a specific action, a 
technique that frequently flags legitimate programs as potential 
threats. Sophos instead characterizes programs by a collection of 
actions attempted by the program in a virtual sandbox and blocks the 
executable if the actions seems malicious. Called "behavioral genotype 
protection" by Sophos, the technique has already caught a number of 
targeted and low-volume attacks, Cluley said.

However, the antivirus industry is still moving too slowly, ISS's Corman 
said. The Trojan horse sold to private investigators by an Israeli 
couple took 18 months to detect.

"People in the industry keep talking about the Israeli Trojan horse, 
because that is one of the few public examples," Corman said. "But 
that's just one of hundreds, if not thousands, of successful attacks."

This article originally appeared in Security Focus.

Copyright 2006, SecurityFocus

Visit the InfoSec News store! 

Site design & layout copyright © 1986-2014 CodeGods