Feeds

Targeted Trojan attacks on the rise

Coming at ya!

Top 5 reasons to deploy VMware with Tegile

Analysis On December 1, 2005, two email messages were sent from a computer in Western Australia to members of two different human rights organizations. Each email message carried a Microsoft Word document with a previously unknown exploit that would take control of the targeted person's computer and open up a beachhead into the group's network.

The attack failed, as did a second attempt to infiltrate the same human-rights groups a week later, due in no small part to an overabundance of caution on the part of email security provider MessageLabs, which initially blocked the emails based on the strangeness of the Word attachments. The attacks only targeted a single person at each organization and, after the two attempts, never repeated.

Such targeted Trojan horse attacks are quickly becoming a large concern for corporations, the military and political organizations, said MessageLabs security researcher Alex Shipp. The email security provider intercepted 298 such attacks between May 2005 and May 2006, and the threat of targeted Trojans is only increasing.

"If you haven't noticed these attacks and you are a big company, you have likely already been attacked," Shipp told attendees at the Virus Bulletin 2006 conference. "Your problem is no longer how do I avoid being attacked, but how do I find where I've been compromised."

Targeted Trojan horse attacks are quickly becoming a major issue for the antivirus and computer-security industries. Last year, computer emergency response groups in the UK, Canada and Australia warned of such attacks. While the United States Computer Emergency Readiness Team (US-CERT) did not issue a warning, security firms confirmed at the time that US government agencies and companies had already been targeted by such malicious software.

A major problem for large companies, government agencies and other potential targets is that antivirus software is not good at stopping low-volume attacks aimed at single companies. Traditional antivirus programs detect widespread attacks based on matching to a known pattern and do not fare well against low-volume Trojans. And even when they do detect such attacks, the larger volume threats are inevitably moved to the top of the firms' to-do lists, because they affect a larger number of customers, said antivirus industry insiders.

"There is no value whatsoever in having signature-based antivirus when facing a targeted attack," said Joshua Corman, host protection architect for Internet Security Systems (ISS). "We, the AV industry, haven't turned the corner in being able to detect these attacks consistently."

If a company misses the initial attack, the results can be costly, Corman said. He pointed to an example of one company, a pharmaceutical firm, that got infiltrated by a targeted Trojan attack. The company only realized it had been compromised when some valuable data was encrypted and the key held for ransom. The company had to pay and, after the incident, spent a month cleaning the compromised systems from its offices in three countries. Corman would not name the company, which became ISS client after the incident.

While MessageLabs might detect tens of thousands of copies of a typical mass-mailing computer viruses in a single day, the company is finding, at most, ten targeted Trojans a week, Shipp said. According to the data collected by MessageLabs, more than half of the 298 attacks detected over 12 months consist of a single email sent to a single person at a company. In total, 1,344 emails were sent during the period studied by Shipp. Military agencies, human rights organizations and pharmaceutical companies are some of the types of groups that are being targeted by specifically aimed attacks.

The attacks are also very well researched, Shipp said. One targeted Trojan was sent to five employees at one company - every single person was a member of the firm's research and development team.

"The bad guys have done their homework," Shipp said.

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.