Targeted Trojan attacks on the rise

During the 12 months studied by Shipp, the majority of the Trojan horse programs, almost 70 per cent, used a malicious Word document as the vehicle for the attack. That's already changing, with PowerPoint and Excel documents now becoming popular, he said. The one type of document that oddly is not being used by attackers is the PDF format of Adobe Acrobat.

Shipp added that most companies cannot just block the problematic attachments, even if they realize the threat.

"In many cases, even if the company is vulnerable, .doc files are their lifeblood, so they can't block Word documents," Shipp said.

Most of the attacks come from the Pacific Rim, emanating from Internet addresses in mainland China, Hong Kong, Australia and Malaysia. However, one IP address that consistently attacks military installations comes from a computer in California. Shipp believes that the computer could have been compromised as part of a botnet.

In fact, Shipp believes that three major groups are involved. The first and largest group is the most active and uses a variety of different tactics, but most commonly uses a zero-day exploit in the attack. The researcher believes it is also possible that this group could be several independent actors. He feels more confident about the other two groups: One targets only Hong Kong companies with an attack once every three weeks or so, and the other attacks military sites from a computer in California about every two weeks.

The attack data underscores an overall trend in threats. While some hobbyist virus writers undoubtedly still exist, most malware is now written for profit.

"No one other than the kids want to infect a million people anymore," said Graham Cluley, senior technology consultant for antivirus firm Sophos. "You would rather deal with 50 or 100 systems at a time."

Sophos and other security companies are adopting better versions of behavioral blocking software to combat the threat. Traditional behavioral blocking stops a program that attempts a specific action, a technique that frequently flags legitimate programs as potential threats. Sophos instead characterizes programs by a collection of actions attempted by the program in a virtual sandbox and blocks the executable if the actions seems malicious. Called "behavioral genotype protection" by Sophos, the technique has already caught a number of targeted and low-volume attacks, Cluley said.

However, the antivirus industry is still moving too slowly, ISS's Corman said. The Trojan horse sold to private investigators by an Israeli couple took 18 months to detect.

"People in the industry keep talking about the Israeli Trojan horse, because that is one of the few public examples," Corman said. "But that's just one of hundreds, if not thousands, of successful attacks."

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus