Feeds

Targeted Trojan attacks on the rise

Coming at ya!

Internet Security Threat Report 2014

During the 12 months studied by Shipp, the majority of the Trojan horse programs, almost 70 per cent, used a malicious Word document as the vehicle for the attack. That's already changing, with PowerPoint and Excel documents now becoming popular, he said. The one type of document that oddly is not being used by attackers is the PDF format of Adobe Acrobat.

Shipp added that most companies cannot just block the problematic attachments, even if they realize the threat.

"In many cases, even if the company is vulnerable, .doc files are their lifeblood, so they can't block Word documents," Shipp said.

Most of the attacks come from the Pacific Rim, emanating from Internet addresses in mainland China, Hong Kong, Australia and Malaysia. However, one IP address that consistently attacks military installations comes from a computer in California. Shipp believes that the computer could have been compromised as part of a botnet.

In fact, Shipp believes that three major groups are involved. The first and largest group is the most active and uses a variety of different tactics, but most commonly uses a zero-day exploit in the attack. The researcher believes it is also possible that this group could be several independent actors. He feels more confident about the other two groups: One targets only Hong Kong companies with an attack once every three weeks or so, and the other attacks military sites from a computer in California about every two weeks.

The attack data underscores an overall trend in threats. While some hobbyist virus writers undoubtedly still exist, most malware is now written for profit.

"No one other than the kids want to infect a million people anymore," said Graham Cluley, senior technology consultant for antivirus firm Sophos. "You would rather deal with 50 or 100 systems at a time."

Sophos and other security companies are adopting better versions of behavioral blocking software to combat the threat. Traditional behavioral blocking stops a program that attempts a specific action, a technique that frequently flags legitimate programs as potential threats. Sophos instead characterizes programs by a collection of actions attempted by the program in a virtual sandbox and blocks the executable if the actions seems malicious. Called "behavioral genotype protection" by Sophos, the technique has already caught a number of targeted and low-volume attacks, Cluley said.

However, the antivirus industry is still moving too slowly, ISS's Corman said. The Trojan horse sold to private investigators by an Israeli couple took 18 months to detect.

"People in the industry keep talking about the Israeli Trojan horse, because that is one of the few public examples," Corman said. "But that's just one of hundreds, if not thousands, of successful attacks."

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Beginner's guide to SSL certificates

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Internet Security Threat Report 2014
An overview and analysis of the year in global threat activity: identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape.