Targeted Trojans - new security focus at firms

Mal-ware security experts at the annual Virus Bulletin Conference in Montreal say the worms and phishing and spam attacks are the least of their worries. Evidently, there is a new wave of security attacks specifically aimed at a single multinational corporation or law firms, among a few others. The e-mails tend to exploit un-published security flaws in Microsoft products, and tend to be sent the day after the monthly patch. These attacks are called targeted trojans or Zero Day attacks (Zero Day apparently meaning the day right after patch days). C/Net reports:

The use of zero-day flaws circumvents traditional signature-based security products. These products rely on attack signatures (the "fingerprint" of the threat) to block the attack, which requires the attack to have been identified at least once before.

"This is the future of malware attacks," said Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. "People affected by this won't be protected by antivirus software because there is no signature."

A signature is created when antivirus companies get a report from an infected company, when they see samples in their own honeypots, or get samples from other antivirus companies. "This doesn't happen with targeted attacks, as only an extremely small number of people get infected," Marx said.

As an example, Shipp said that only four antivirus products today detect one specific targeted attack that was first spotted months ago. Other products still let it through. MessageLabs is able to identity some of the threats by looking at the specific details of Office documents attached to e-mail and pinpointing unusual code in them, he said.

The identity of the attackers is mostly unknown. Security experts have theories of multiple gangs in different parts of the world, but haven't been able to pinpoint them.

The motivation of the attackers is also topic of dispute. From his analysis, Shipp believes the intent is to steal information. "In other words, corporate espionage," he said.

But Symantec's Weafer isn't so sure. "Whether they are for hire, or whether they are simply trying stuff out is not clear," he said.

Security companies are working on behavioral blocking and other techniques that go beyond signature-based detection to protect systems. Heuristics, which are programs that use pattern recognition, instead of being based on algorithms, are one example.

"Antivirus companies have moved in leaps and bounds in terms of heuristic attacks," Cluley said. "It is not completely disastrous, even if it doesn't appear on the radar. Good proactive protection can still defend against a lot of this stuff," he said.

The real good news is that there is a only a very low probability that any specific company was attacked last year, Shipp said. "The bad news is, if you were attacked and it was successful, it is of very high value," he said.

The links for articles on this topic, along with their own links to related articles:

Future of Malware: Trojan Horses

Zero-day Wednesdays

SANS Internet Storm Center

Arizona U. "How to Remove Malware

Michael Horwitz How to Remove Spyware and Malware - This is much more in-depth than the Arizona page above, and discusses the pros and cons of each method, noting that you may be creating new problems, and how some problems mask themselves and look clean when they are not. Written first in 2004, this page was updated July, 2006. Thank you, Michael Horwitz!


The decoration is a detail of Tiepolo's "Procession of the Trojan Horse," from the Wikipedia Commons, http://commons.wikimedia.org/wiki/Image:Tiepolo_-_The_procession_of_the_trojan_horse.jpg