Targeted Trojan Attacks Causing Concern

Bill Andad writes to point out a surprise trend emerging from the Virus Bulletin Conference 2006 in Montreal this week. From the article on Daniweb: "It is the smallest of Trojan attacks that are causing the biggest headache in the world of corporate security right now. By targeting individuals within individual companies with individually constructed infected messages, the new-age industrial spy is slipping under the security radar." News.com has more in-depth coverage.

Re:Get Ubuntu

[QuantumG]

Also the african word for "many packages in our repository lack signatures but people install them anyway". Trojans are just as easy on linux as anywhere else.

The new face of corporatre crime

[skrew]

This is a disturbing trend; in the anonymous information age, trust is the only way to guarantee security. Prediction: anticipate alot more 'orwellian' security implementations, retina, fingerprint etc. to ensure traceable DNA identification of infiltrators from within organization who spread virii or covert trojan operations. This is why Open Source is the future, in a closed source project/organization, only those who have the knowledge can perceive compromisation, but with Open Source software the world communtiy of geeks can verify that code is secure. Similarly, a more open trust based corporate model might better deter trojan aggressors.

Not all that surprising

[Jarjarthejedi]

Is it surprising at all that Social Engineering is the best way to get a virus in? I'm actually surprised this is even an article, of course the main problem companies are going to have is their employees clicking things they shouldn't...

Re:Get Ubuntu

[grcumb]

Also the african word for "many packages in our repository lack signatures but people install them anyway". Trojans are just as easy on linux as anywhere else.

Bull:

• All Ubuntu .deb packages available by default come from known sources. Adding untrusted repositories requires root privileges and visual warnings.
• Installing software through apt-get (or synaptic or any of the other automated software installers) requires admin privileges.
• Even a malicious script that surreptitiously runs

  dpkg -i nasty-payload

  is going to have a very hard time affecting the integrity of the system, let alone hiding from the user.
• The default user mode is non-privileged. It's hard (though not impossible) for someone to run Ubuntu as root.

If you wanted to make the point that there are just as many attack vectors in Ubuntu as elsewhere, go ahead. But the mere presence of an avenue of attack doesn't magically make it easy. Implying that Ubuntu is not inherently harder to compromise than Windows is prima facie wrong.

Re:The lax windows and win32 app security model...

[QuantumG]

none of this relevant to trojans. A trojan is, by definition, something the user wants to run. The fact that most linux users don't run untrusted programs in a "jail" is much the same as the fact that most windows users don't do that either. It's sad, but it's a user education problem, and we're typically not good at solving those. Ubuntu users are encouraged to use "sudo" instead of "su" to run programs as root. sudo allows a permitted user to execute a command as the superuser or another user, but how many people actually use sudo to execute a command as anyone but root? sudo -u nobody ./random-email-attachment who does that? no-one.

Re:Any trojans cause concern

[MichaelSmith]

Also, I'm as competent as most /. users, so I was shocked I got virused twice because I'm careful, especially at work.

Almost certainly another machine on your network is spreading the infection. You did something about it because you are on the lookout for these problems. I suggest you use your position to bypass the IT people. Go straight to the top and get the boss to knock some heads together in the IT department. This problem is more serious than the immediate issue on your PC.

Re:Recent Trojans - Very good social Engineering

[bconway]

Well, that did it. A number of users, wishing to read the allegations cut and paste the URL. As you might guess, the site itself had been hi-jacked, so the broswer was quickly re-directed to another site, explotited the most recent unpatched IE vulnerability and infected the user's PC with a key logger. The only reason this got caught quickly was that in some cases the user's IE session crashed, giving a hint that something might have happened.

Wow, those are some decent execs. Ours would just try the URL 3 or 4 more times and then move on, forgetting about it.

Re:The lax windows and win32 app security model...

[Jah-Wren+Ryel]

but how many people actually use sudo to execute a command as anyone but root? sudo -u nobody ./random-email-attachment who does that? no-one.

Because it isn't easy.

If this were an itch I was prepared to scratch, I would look into creating a static image of a virtual-machine that could be used just for running questionable stuff. Then I would look at putting hooks into programs like thunderbird that would make it automagically invoke the VM for attachments.

Beyond the integration into regularly used applications, the main problems to overcome mainly deal with when to allow the VM to do i/o to files outside of the VM (i.e. legitimate stuff) versus when to keep all activity completely "locked up" in the VM (i.e. unexpected/undesirable behavior). Since the image is static, maybe all I/O would just be within the VM and then when the VM exits, have something compare the final state of the VM with the static image and any changes to in approved areas could be copied out, while all other changes are thrown to the window once it reverts back to the original static image.