Feeds

Targeted Trojan attacks on the rise

Coming at ya!

SANS - Survey on application security programs

During the 12 months studied by Shipp, the majority of the Trojan horse programs, almost 70 per cent, used a malicious Word document as the vehicle for the attack. That's already changing, with PowerPoint and Excel documents now becoming popular, he said. The one type of document that oddly is not being used by attackers is the PDF format of Adobe Acrobat.

Shipp added that most companies cannot just block the problematic attachments, even if they realize the threat.

"In many cases, even if the company is vulnerable, .doc files are their lifeblood, so they can't block Word documents," Shipp said.

Most of the attacks come from the Pacific Rim, emanating from Internet addresses in mainland China, Hong Kong, Australia and Malaysia. However, one IP address that consistently attacks military installations comes from a computer in California. Shipp believes that the computer could have been compromised as part of a botnet.

In fact, Shipp believes that three major groups are involved. The first and largest group is the most active and uses a variety of different tactics, but most commonly uses a zero-day exploit in the attack. The researcher believes it is also possible that this group could be several independent actors. He feels more confident about the other two groups: One targets only Hong Kong companies with an attack once every three weeks or so, and the other attacks military sites from a computer in California about every two weeks.

The attack data underscores an overall trend in threats. While some hobbyist virus writers undoubtedly still exist, most malware is now written for profit.

"No one other than the kids want to infect a million people anymore," said Graham Cluley, senior technology consultant for antivirus firm Sophos. "You would rather deal with 50 or 100 systems at a time."

Sophos and other security companies are adopting better versions of behavioral blocking software to combat the threat. Traditional behavioral blocking stops a program that attempts a specific action, a technique that frequently flags legitimate programs as potential threats. Sophos instead characterizes programs by a collection of actions attempted by the program in a virtual sandbox and blocks the executable if the actions seems malicious. Called "behavioral genotype protection" by Sophos, the technique has already caught a number of targeted and low-volume attacks, Cluley said.

However, the antivirus industry is still moving too slowly, ISS's Corman said. The Trojan horse sold to private investigators by an Israeli couple took 18 months to detect.

"People in the industry keep talking about the Israeli Trojan horse, because that is one of the few public examples," Corman said. "But that's just one of hundreds, if not thousands, of successful attacks."

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.