Feeds

Targeted Trojan attacks on the rise

Coming at ya!

Protecting against web application threats using SSL

During the 12 months studied by Shipp, the majority of the Trojan horse programs, almost 70 per cent, used a malicious Word document as the vehicle for the attack. That's already changing, with PowerPoint and Excel documents now becoming popular, he said. The one type of document that oddly is not being used by attackers is the PDF format of Adobe Acrobat.

Shipp added that most companies cannot just block the problematic attachments, even if they realize the threat.

"In many cases, even if the company is vulnerable, .doc files are their lifeblood, so they can't block Word documents," Shipp said.

Most of the attacks come from the Pacific Rim, emanating from Internet addresses in mainland China, Hong Kong, Australia and Malaysia. However, one IP address that consistently attacks military installations comes from a computer in California. Shipp believes that the computer could have been compromised as part of a botnet.

In fact, Shipp believes that three major groups are involved. The first and largest group is the most active and uses a variety of different tactics, but most commonly uses a zero-day exploit in the attack. The researcher believes it is also possible that this group could be several independent actors. He feels more confident about the other two groups: One targets only Hong Kong companies with an attack once every three weeks or so, and the other attacks military sites from a computer in California about every two weeks.

The attack data underscores an overall trend in threats. While some hobbyist virus writers undoubtedly still exist, most malware is now written for profit.

"No one other than the kids want to infect a million people anymore," said Graham Cluley, senior technology consultant for antivirus firm Sophos. "You would rather deal with 50 or 100 systems at a time."

Sophos and other security companies are adopting better versions of behavioral blocking software to combat the threat. Traditional behavioral blocking stops a program that attempts a specific action, a technique that frequently flags legitimate programs as potential threats. Sophos instead characterizes programs by a collection of actions attempted by the program in a virtual sandbox and blocks the executable if the actions seems malicious. Called "behavioral genotype protection" by Sophos, the technique has already caught a number of targeted and low-volume attacks, Cluley said.

However, the antivirus industry is still moving too slowly, ISS's Corman said. The Trojan horse sold to private investigators by an Israeli couple took 18 months to detect.

"People in the industry keep talking about the Israeli Trojan horse, because that is one of the few public examples," Corman said. "But that's just one of hundreds, if not thousands, of successful attacks."

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.