Slashdot Mirror
Targeted Trojan Attacks Causing Concern
Bill Andad writes to point out a surprise trend emerging from the Virus Bulletin Conference 2006 in Montreal this week. From the article on Daniweb: "It is the smallest of Trojan attacks that are causing the biggest headache in the world of corporate security right now. By targeting individuals within individual companies with individually constructed infected messages, the new-age industrial spy is slipping under the security radar." News.com has more in-depth coverage.
We've seen a change of purpose in virus/trojan creation over the last years, from being a cracker or script kiddy ego thing to being the base of obviously lucrative spam distribution via cracked machines. The malware market has become more sophisticated, e.g. today malware usually will not crash a machine or cause any noticeable problems for the user, because the prime target is to use the machine as long as possible. So malware behavior is driven by business needs.
Now any option to make money will attract someone, in the case of illegal business often organized crime, which operates very much like any other business, just without regulation and taxes. And one thing business usually does is looking for options to grow and extend into other markets.
The spam distribution business seems just fine right now, and with more people getting online there is still some growth potential, but filters and trained users will limit that market. So if you switch from targeting the masses to individuals and specific companies you gain two things:
So once again, this is not mainly a technical problem: As long as someone finds a way to make money with it, it will not go away, but only get worse. Your best option might be to make sure that your business model allows your data to simply be open, so stealing will not work. If you develop open source software, your source can not be stolen or destroyed. But make sure you have backups of your consulting customers list on separate media.
memomo: free web based language trainer DE-EN-ES-FR-IT
My work PC has been hit by trojans twice within a couple of weeks. I'm new there, so it looks bad anyway. Also, I'm as competent as most /. users, so I was shocked I got virused twice because I'm careful, especially at work. I'm an accountant so I don't have a say in the IT nor do I care to. My boss had to bring in external guys to fix the first virus, then the second one happened and he decided to reinstall everything anyway. Cost time and money.
How THEY know I want a bigger schlong and that I want to shoot like a porn star. And that I can't keep it up.
This is the obvious evolution in organized crime via hacking. If you could infect the marketing dept of several companies directly by doing a little old fashion PI work (or looking at the company directory), you will have access to both typically non-technical people and people that have access to what is about to be spun from a company. So do some "insider" trading on that.
Ask a legitimate question and get a response. You're now whitelisted. Send them a document related to your question that happens to carry your trojan. You can now, at least, impersonate them on the network/read their mail/send mail on their behalf.
It's a crappy way to develop a bot net but it's a good way to get very specific espionage capabilites.
Why hasn't this been exposed in the past, I'm sure it's been going on for quite some time.
Ubuntu, the ancient african for "couldn't install debian, but didn't want those damn trojans"
When will you start mentioning WINDOWS where appropriate? This problem is created and perpetuated by junk from MS.
you had me at #!
This is a disturbing trend; in the anonymous information age, trust is the only way to guarantee security. Prediction: anticipate alot more 'orwellian' security implementations, retina, fingerprint etc. to ensure traceable DNA identification of infiltrators from within organization who spread virii or covert trojan operations. This is why Open Source is the future, in a closed source project/organization, only those who have the knowledge can perceive compromisation, but with Open Source software the world communtiy of geeks can verify that code is secure. Similarly, a more open trust based corporate model might better deter trojan aggressors.
Learn to know, the dark side of the force, and you will achieve a power greater than any Jedi...the power to save your w
Is it surprising at all that Social Engineering is the best way to get a virus in? I'm actually surprised this is even an article, of course the main problem companies are going to have is their employees clicking things they shouldn't...
There are two kinds of fool One says 'This is old therefore good' Another says 'This is new therefore better'- Dean Ing
Too many of my Window-Monkies call in sick. (rooted by competetors - damn users clicking "ok").
Once I have a Linux Mail-Bot, I can lock it down and know it is mine!
Don't worry, we run our all processes "nice"!
This issue is a bit more complicated than you think.
Tell me about it. It just got through spending two hours getting rid of spyware/malware/dialware using Prevx. I religiously use spybot S&D, AVG, Ad-aware, CCleaner AND I still got hit. Makes you want to hurt the ones creating this stuff.
As a business proposition, the cost of researching a victim seems high in lots of ways -- it's not work for a dummy, it takes time, and the hits have to pay for all of the misses. At the very least, it has to use "mass customization" to succeed -- software that customizes a con to a victim in non-trivial ways. But yet if they go that route, it becomes easier to fight it with conventional spam and phishing tools, because software can spot the "mass" part.
Signatures in no way guarantee security. They may help indicate that the package on a server is the one that was originally uploaded, but even then they're of minimal use.
It's easy enough for a mirror to replace a legitimate package with a trojaned package. And if they offer a valid signature for that trojaned package, you likely won't even know it has been compromised. You'd have to compare the signature from the mirror with that of the main distribution point.
Likewise, it's more than possible for a malicious contributor to include such an exploit within a patch also containing legitimate fixes or feature additions. Unless there is careful screening of all patches, which isn't the case all of the time, it may become part of a release. Of course, a contributor with write access to a project's code repository could also have his system hijacked, and have it used to submit such code. Again, the package signature will be valid, but the malicious code will still be there.
Signatures are pretty much usless in the first place. So it would be nice for Ubuntu to have all of their packages signed, it really wouldn't offer much benefit even if they did.
I'm waiting for Vista to be release, with the uber-secure WGA. Some nice, innocuous little virus will be written that doesn't steal files, doesn't open a backdoor, and doesn't delete anything. This virus will screw up your WGA hash, and one fine spring day a few million PCs will report that they are pirated copies and start locking people out of their own software.
That sound you will hear is a thousand Microsoft tech-support reps all crying out at once.
Learning HOW to think is more important than learning WHAT to think.
The "junk" would have to be the garbage they call an operating system with a craptacular wannabe security model. the OS is so crippled at the 'normal user' level that most applications fail to install correctly. When's the last time someone really cared that a local administrator exploit was released in windows? We all know that windows is the swiss cheese of operating systems, and it doesn't help that most infected people have no clue how exactly they got infected this time. Are application developers largely concerned their application could weaken an end users' system? I think it's less so then a unix/unix like application developer... We've seen improvement, but it's really just a band-aid when you think of the underlying issues.
1. All executables are always executable in windows. Unix requires a permission to be applied to it before its allowed to execute.
2. Each new release of Windows need only be a "little" more secure to live up to the billboard sham you see on every install since 98 (maybe earlier) - "Most secure windows ever". I'll believe it when Linux, BSD or MacOS have me loose sleep over the same issues...
Let's take a look at sendmail. It use to be swiss cheese, but now-a-days the frequency of remote or local exploits are rare. (atleast the kind that give you access you don't deserve)
I could ramble on and on, but I'll just shut up! I don't have all day to chew the same old fat on the same dogly stupid issue of our time!!!
"Your best option might be to make sure that your business model allows your data to simply be open, so stealing will not work."
Keep that in mind when your personal information is scattered all over the net.
Because it is. And I'm posting this from my home machine running Edgy.
I think you missed the definition.
The code is not "in full view". It is hidden. That way, the user will run the code s/he THINKS is contained in that package, but the real code is something else.
Maybe you don't understand "trivial", either.
Under a single user Windows box, it was trivial. Just clicking on porn.gif(.exe) in Outlook used to be sufficient to run that
Under Ubuntu, there are more steps. And the user has to specifically type in "sudo blah". The more steps required, the more chance that the user will notice that there is a problem.
So, if 99% of Windows users get themselves infected
And that's just from the trojan threat.
Because Ubuntu's default installation has no open ports, it is 100% safe from worms.
And the virus threat is also limited by the restricted rights and the need to type "sudo virus-file" to "install" the virus.
I work in the IT Security group for a Top 10 financial institution here in the US. Most of the social engineering attacks we see are quite clumsy, make me roll my eyes when I see them, and groan when I hear of people actually falling for them. However, a new wave bit not only us, but at least 5 other Top 10 institutions in our field.
The social engineering portion was an emailed message, aimed to several high-level executives and other senior techincal staff by name. Messages were sent to us in perfectly gramatical non-stilted English. The plain text message was "personalized" (no skill there, but it did add to the overall credibility.) The messages came in with a reasonable subject line: "Request for Interview re: Recent Security Incidents".
The actual email stated something to the effect that the sender was a journalist looking for comment on a newly published article in a trade magazine alledging a security breach at our institution. The "sender" invited the recipient to contact him (by telephone) to comment on the story for a follow-up. He ended the message by including the URL (but not a clickable link) to the original article making the allegations.
Well, that did it. A number of users, wishing to read the allegations cut and paste the URL. As you might guess, the site itself had been hi-jacked, so the broswer was quickly re-directed to another site, explotited the most recent unpatched IE vulnerability and infected the user's PC with a key logger. The only reason this got caught quickly was that in some cases the user's IE session crashed, giving a hint that something might have happened. THe other giveaway was tha in addition to the key logger, something else got loaded with more obvious side-effects.
Of course, in retrospect it was pretty obvious, and in telling the story, it seems like S.E., but I had to admit it would have fooled me if I had been the first to recieve the message. (Probably would not have been infected due to my use of low privilidges, but I would have followed the URL). It passed the sniff test: Standard American English, a reference (and URL) to a trade magazine specific to my industry and field (Banking & IT), it included a phone number (of course a fake), and was in the exact tone you would expect from a legit journalist --- nothing loud or sensational, just a message that an allegation has been raised, would you care to respond.
My lesson: a little more empathy for the non-professionals who get bitten by other social engineering attacks. Yes, they SHOULD know better, but if I (in all modesty) could be fooled, what chance does my unsophisticated, trusting Granny have?
LULZ
oh, indeed. The main reason your anti-virus software is pointless.
If a piece of malicious software is well known enough for your anti-virus company to know about it, then a patch for the issue will be out very soon. Anti-virus software will only protect you from script kiddies and not someone that actually would have a good reason to steal your data. i.e your competition.
...and that is all I have to say about that.
http://jessta.id.au
What the fuck?
No, with "su", you're running as root until you type "exit". There is no time limit or command limit on "su".
What? How? Go ahead. Infect my computer. It's running Edgy so I'm sure there are lots of holes still in it.
Go ahead. Do it.
Oh, you can't? Well I guess that your claims aren't factual.
Great. The infect my machine. Go ahead.
Writing a program such as that is not difficult. The difficult part is getting it running on my machine. Or anyone else's machine.
Then do it.
I'm saying that it is hard. And with Ubuntu, it's practically impossible.
Don't try to sidetrack this. Your claim was that you can get root, easily. No, you cannot. Here, I'll make it as easy as you're ever going to get. My email address is linked to my 'nym. I'm running a fairly vanilla Edgy on Intel. No anti-virus at all.
Yes, it does.
I am in that category. You have my email address. You know the OS, mail program and hardware platform.
If you cannot get a trojan on my machine, you cannot do what you've claimed.
Therefore, it is you who does not understand security.
Again, you cannot crack my computer. You do not know what you're talking about.
Well, you've claimed that it is easy.
Your inability to prove that claim on my machine shows that it is not as easy as you would like others to believe.
Here's a free security clue. Cracking your own machine is nothing. If the crack is not spreading faster than it is being removed, it will "die" in "the wild".
Linux doesn't by itself save you from cross-platform vectors. Flash on Linux has had exploitable problems. PDF viewers for Linux have had buffer overflows and (2003)If a victim clicks on a malicious hyperlink, an attacker could execute arbitrary shell commands with the victim's privileges. Linux makes it harder to run executable machine code by mistake but that covers only part of the perimeter.
I don't like to see people hurt by using Windows, and also don't like to see people hurt by overconfidence.
It was a targeted Trojan that got into Valve and stole the source-code to Half-Life 2, right off the project lead's workstation. IIRC, it arrived via a bug in Outlook's message-preview facility.
FATMOUSE + YOU = FATMOUSE
The same "logic" can apply to an email telling the "ignorant end user" to buy a hammer and smash the hard drive.
The problem is getting them to do that.
That is the problem. The problem you have not addressed. The problem you have not addressed is how to get the "ignorant end user" to do that.
Simply saying that it can be done is as stupid as saying that an email could persuade an "ignorant end user" to smash his/her computer with a hammer.
Not when you're talking about spreading a trojan. The more steps needed, the more likely that the "ignorant end user" will do something wrong or remember something about not running untrusted crap on his/her computer.
"Trivial" in this context means:
#1. Not doing something such as patching so a worm can infect you.
#2. Doing one stupid thing such as clicking on an attachment you received via email.
The more steps that have to be followed, in a particular order, the less "trivial" it becomes to convince the "ignorant end user" to perform all those steps, in that particular order.
You can keep arguing that this is not so, but the statistics seem to contradict you. And I'm going to go with the statistics on this.
There were anti-viruses in the past, which wern't relying on the virus signature only, but were trying to detect new, unknown viruses too. Dr. Web was the one, but it seems they dropped this feature later (or at least not advertising it any more). Probaly it was not cost-effective than. Seems the time have come to revive this approach again. Of cause it's not easy, require very sofisticated statistical learning, bayesian networks or neural networks, may be even genetic algorithms and very good understanding of underlying OS, but it may have become cost-effective again.
Virus companies talk up scare, again. Why don't business users use a computer that don't get 'viruses'.
davecb5620@gmail.com
"A number of users .. cut and paste the URL .. the broswer was quickly re-directed .. and infected the user's PC with a key logger"
Why don't you advise the high-level executives to use a browser that don't install malware just by typing in a URL. The same goes for your Granny.
Recent Trojans - Very good social Engineering (Score:5, Interesting)
davecb5620@gmail.com
I believe the article is talking about targetted industrial espionage, not spam slaves. Unless a target had control over a multi-gigabit backbone link, I can't see a spammer going to the effort of targetting specific machines, clusters, or users. In those cases there are admins monitoring traffic load and the spam would cause a surge in outoing SMTP/POP3 traffic and rapidly get traced. Companies with big pipes tend to have the infrastructure in place to monitor and maintain the hardware behind those pipes.
In short, I seriously doubt spam distribution would be the reason behind a targetted attack.
Targetted attacks would select an individual machine, cluster, or user because they contain or have access to resources the attacker wants. It could be source code, it could be credit card numbers, it could be internal business plans, or it could be some goof trying to stalk the cutie on the second floor.
The point is the expense of a targetted attack starts with the expense of identifying a target.
What reason does the attacker have for identifying the target?
i.e. What's the motive?
I do not fail; I succeed at finding out what does not work.
If you do, these email or IM bombs will not be able to root the system, or open firewall ports. At most the user's folder is busted, and once deleted and restored the machine is clean.
Lots of corps do this even with Win2k/XP.
Although Windows indeed has a crappy security track record, there is absolutely no reason to believe Linux and a lot of the software that people run on it is any better. The reason: you can't compare the security of one system with that of another, because you cannot rule out bias in the test. At best, you can make an educated guess.
And, last I checked, GNU/Linux distros didn't very much protect against social engineering and trojans.
Please correct me if I got my facts wrong.
In recent weeks I've seen a growing amount of spam with subjects that appear to be constructed with my interests in mind. At first I dismissed them, but there are now so many I am beginning to wonder if the spammers haven't been monitoring my e-mail or browsing history to help them construct subjects they know I'm more likely to notice / read.
Only boring people are ever bored.
I'm really puzzled why anyone continues to accept mail with executable attachments of any kind.
/etc/procmailrc file that scanned the message body for executable attachments.
.exe, etc.
When I first started fighting viruses and spam for my clients, the very first thing we did was block executable files at the mail server. This was in 1997 and required nothing more than a simple
Nowadays, of course, we have much more full-featured software like MailScanner to handle this. This isn't really rocket science, folks. 99+% of people in most organizations have no reason to receive an executable file; if they don't get them, they can't run them.
The new vector seems to be email with clickable links that redirect to an executable. One solution is obviously to install a browser like Firefox that won't run a downloaded file by default, but that still enables lusers to download the file to the desktop then run it. Our current solution for this problem is blocking executables with Squid. Push all web requests through the proxy transparently and block access to URLs ending in
I really don't understand why policies like these aren't SOP at all organizations, especially organizations large and wealthy enough to have executives worth targeting with malware.