Slashdot Mirror
Targeted Trojan Attacks Causing Concern
Bill Andad writes to point out a surprise trend emerging from the Virus Bulletin Conference 2006 in Montreal this week. From the article on Daniweb: "It is the smallest of Trojan attacks that are causing the biggest headache in the world of corporate security right now. By targeting individuals within individual companies with individually constructed infected messages, the new-age industrial spy is slipping under the security radar." News.com has more in-depth coverage.
We've seen a change of purpose in virus/trojan creation over the last years, from being a cracker or script kiddy ego thing to being the base of obviously lucrative spam distribution via cracked machines. The malware market has become more sophisticated, e.g. today malware usually will not crash a machine or cause any noticeable problems for the user, because the prime target is to use the machine as long as possible. So malware behavior is driven by business needs.
Now any option to make money will attract someone, in the case of illegal business often organized crime, which operates very much like any other business, just without regulation and taxes. And one thing business usually does is looking for options to grow and extend into other markets.
The spam distribution business seems just fine right now, and with more people getting online there is still some growth potential, but filters and trained users will limit that market. So if you switch from targeting the masses to individuals and specific companies you gain two things:
So once again, this is not mainly a technical problem: As long as someone finds a way to make money with it, it will not go away, but only get worse. Your best option might be to make sure that your business model allows your data to simply be open, so stealing will not work. If you develop open source software, your source can not be stolen or destroyed. But make sure you have backups of your consulting customers list on separate media.
memomo: free web based language trainer DE-EN-ES-FR-IT
My work PC has been hit by trojans twice within a couple of weeks. I'm new there, so it looks bad anyway. Also, I'm as competent as most /. users, so I was shocked I got virused twice because I'm careful, especially at work. I'm an accountant so I don't have a say in the IT nor do I care to. My boss had to bring in external guys to fix the first virus, then the second one happened and he decided to reinstall everything anyway. Cost time and money.
This is the obvious evolution in organized crime via hacking. If you could infect the marketing dept of several companies directly by doing a little old fashion PI work (or looking at the company directory), you will have access to both typically non-technical people and people that have access to what is about to be spun from a company. So do some "insider" trading on that.
Ask a legitimate question and get a response. You're now whitelisted. Send them a document related to your question that happens to carry your trojan. You can now, at least, impersonate them on the network/read their mail/send mail on their behalf.
It's a crappy way to develop a bot net but it's a good way to get very specific espionage capabilites.
Why hasn't this been exposed in the past, I'm sure it's been going on for quite some time.
Ubuntu, the ancient african for "couldn't install debian, but didn't want those damn trojans"
When will you start mentioning WINDOWS where appropriate? This problem is created and perpetuated by junk from MS.
you had me at #!
This is a disturbing trend; in the anonymous information age, trust is the only way to guarantee security. Prediction: anticipate alot more 'orwellian' security implementations, retina, fingerprint etc. to ensure traceable DNA identification of infiltrators from within organization who spread virii or covert trojan operations. This is why Open Source is the future, in a closed source project/organization, only those who have the knowledge can perceive compromisation, but with Open Source software the world communtiy of geeks can verify that code is secure. Similarly, a more open trust based corporate model might better deter trojan aggressors.
Learn to know, the dark side of the force, and you will achieve a power greater than any Jedi...the power to save your w
Is it surprising at all that Social Engineering is the best way to get a virus in? I'm actually surprised this is even an article, of course the main problem companies are going to have is their employees clicking things they shouldn't...
There are two kinds of fool One says 'This is old therefore good' Another says 'This is new therefore better'- Dean Ing
Too many of my Window-Monkies call in sick. (rooted by competetors - damn users clicking "ok").
Once I have a Linux Mail-Bot, I can lock it down and know it is mine!
Don't worry, we run our all processes "nice"!
This issue is a bit more complicated than you think.
As a business proposition, the cost of researching a victim seems high in lots of ways -- it's not work for a dummy, it takes time, and the hits have to pay for all of the misses. At the very least, it has to use "mass customization" to succeed -- software that customizes a con to a victim in non-trivial ways. But yet if they go that route, it becomes easier to fight it with conventional spam and phishing tools, because software can spot the "mass" part.
I'm waiting for Vista to be release, with the uber-secure WGA. Some nice, innocuous little virus will be written that doesn't steal files, doesn't open a backdoor, and doesn't delete anything. This virus will screw up your WGA hash, and one fine spring day a few million PCs will report that they are pirated copies and start locking people out of their own software.
That sound you will hear is a thousand Microsoft tech-support reps all crying out at once.
Learning HOW to think is more important than learning WHAT to think.
none of this relevant to trojans. A trojan is, by definition, something the user wants to run. The fact that most linux users don't run untrusted programs in a "jail" is much the same as the fact that most windows users don't do that either. It's sad, but it's a user education problem, and we're typically not good at solving those. Ubuntu users are encouraged to use "sudo" instead of "su" to run programs as root. sudo allows a permitted user to execute a command as the superuser or another user, but how many people actually use sudo to execute a command as anyone but root? sudo -u nobody ./random-email-attachment who does that? no-one.
How we know is more important than what we know.
I think you misunderstand how the signatures work. If a mirror replaced a legit package with a trojaned one, they would either have to have it unsigned, or have it signed with a key that isn't one of the ubuntu release keys. In either case, the package manager would spout warnings about it, and it would get found out pretty quickly. Apt tools, in effect, do check the signature against those from the main distribution point. Or, more accurately, against the keys they know about. This means that the mirror couldn't replace the package and have noone the wiser.
Because it is. And I'm posting this from my home machine running Edgy.
I think you missed the definition.
The code is not "in full view". It is hidden. That way, the user will run the code s/he THINKS is contained in that package, but the real code is something else.
Maybe you don't understand "trivial", either.
Under a single user Windows box, it was trivial. Just clicking on porn.gif(.exe) in Outlook used to be sufficient to run that
Under Ubuntu, there are more steps. And the user has to specifically type in "sudo blah". The more steps required, the more chance that the user will notice that there is a problem.
So, if 99% of Windows users get themselves infected
And that's just from the trojan threat.
Because Ubuntu's default installation has no open ports, it is 100% safe from worms.
And the virus threat is also limited by the restricted rights and the need to type "sudo virus-file" to "install" the virus.
I work in the IT Security group for a Top 10 financial institution here in the US. Most of the social engineering attacks we see are quite clumsy, make me roll my eyes when I see them, and groan when I hear of people actually falling for them. However, a new wave bit not only us, but at least 5 other Top 10 institutions in our field.
The social engineering portion was an emailed message, aimed to several high-level executives and other senior techincal staff by name. Messages were sent to us in perfectly gramatical non-stilted English. The plain text message was "personalized" (no skill there, but it did add to the overall credibility.) The messages came in with a reasonable subject line: "Request for Interview re: Recent Security Incidents".
The actual email stated something to the effect that the sender was a journalist looking for comment on a newly published article in a trade magazine alledging a security breach at our institution. The "sender" invited the recipient to contact him (by telephone) to comment on the story for a follow-up. He ended the message by including the URL (but not a clickable link) to the original article making the allegations.
Well, that did it. A number of users, wishing to read the allegations cut and paste the URL. As you might guess, the site itself had been hi-jacked, so the broswer was quickly re-directed to another site, explotited the most recent unpatched IE vulnerability and infected the user's PC with a key logger. The only reason this got caught quickly was that in some cases the user's IE session crashed, giving a hint that something might have happened. THe other giveaway was tha in addition to the key logger, something else got loaded with more obvious side-effects.
Of course, in retrospect it was pretty obvious, and in telling the story, it seems like S.E., but I had to admit it would have fooled me if I had been the first to recieve the message. (Probably would not have been infected due to my use of low privilidges, but I would have followed the URL). It passed the sniff test: Standard American English, a reference (and URL) to a trade magazine specific to my industry and field (Banking & IT), it included a phone number (of course a fake), and was in the exact tone you would expect from a legit journalist --- nothing loud or sensational, just a message that an allegation has been raised, would you care to respond.
My lesson: a little more empathy for the non-professionals who get bitten by other social engineering attacks. Yes, they SHOULD know better, but if I (in all modesty) could be fooled, what chance does my unsophisticated, trusting Granny have?
LULZ
oh, indeed. The main reason your anti-virus software is pointless.
If a piece of malicious software is well known enough for your anti-virus company to know about it, then a patch for the issue will be out very soon. Anti-virus software will only protect you from script kiddies and not someone that actually would have a good reason to steal your data. i.e your competition.
...and that is all I have to say about that.
http://jessta.id.au
but how many people actually use sudo to execute a command as anyone but root? sudo -u nobody ./random-email-attachment who does that? no-one.
Because it isn't easy.
If this were an itch I was prepared to scratch, I would look into creating a static image of a virtual-machine that could be used just for running questionable stuff. Then I would look at putting hooks into programs like thunderbird that would make it automagically invoke the VM for attachments.
Beyond the integration into regularly used applications, the main problems to overcome mainly deal with when to allow the VM to do i/o to files outside of the VM (i.e. legitimate stuff) versus when to keep all activity completely "locked up" in the VM (i.e. unexpected/undesirable behavior). Since the image is static, maybe all I/O would just be within the VM and then when the VM exits, have something compare the final state of the VM with the static image and any changes to in approved areas could be copied out, while all other changes are thrown to the window once it reverts back to the original static image.
When information is power, privacy is freedom.
All in all, I like to sum it up as such: neither the security model of unix, nor the *cough* security model of Windows were designed for a under-educated user running untrusted applications. These security models are all about multiple users and the educated discretionary granting of permissions between those users. The Windows security model goes a little further than the unix security model in that it has things to say about sharing those permissions over networks, and there are Mandatory Access Control security models that go beyond both of them and say things about permissions that are not at the discretion of the users, but there is no good security model, that I'm aware of, for isolating and controlling the behaviour of the programs which users run in these security models. There have been attempts of course. "Application firewalls".. "capabilities".. but there's no multimillion dollar research going into this like there was put into those other security models. Why? Because all that research was done by the military.. and the military really doesn't have any need to a security model that makes it safe to run arbitary programs because, unlike us consumers, they just don't do that.
How we know is more important than what we know.
What the fuck?
No, with "su", you're running as root until you type "exit". There is no time limit or command limit on "su".
What? How? Go ahead. Infect my computer. It's running Edgy so I'm sure there are lots of holes still in it.
Go ahead. Do it.
Oh, you can't? Well I guess that your claims aren't factual.
Great. The infect my machine. Go ahead.
Writing a program such as that is not difficult. The difficult part is getting it running on my machine. Or anyone else's machine.
Then do it.
I'm saying that it is hard. And with Ubuntu, it's practically impossible.
Don't try to sidetrack this. Your claim was that you can get root, easily. No, you cannot. Here, I'll make it as easy as you're ever going to get. My email address is linked to my 'nym. I'm running a fairly vanilla Edgy on Intel. No anti-virus at all.
Yes, it does.
I am in that category. You have my email address. You know the OS, mail program and hardware platform.
If you cannot get a trojan on my machine, you cannot do what you've claimed.
Therefore, it is you who does not understand security.
Again, you cannot crack my computer. You do not know what you're talking about.
Well, you've claimed that it is easy.
Your inability to prove that claim on my machine shows that it is not as easy as you would like others to believe.
Here's a free security clue. Cracking your own machine is nothing. If the crack is not spreading faster than it is being removed, it will "die" in "the wild".
Linux doesn't by itself save you from cross-platform vectors. Flash on Linux has had exploitable problems. PDF viewers for Linux have had buffer overflows and (2003)If a victim clicks on a malicious hyperlink, an attacker could execute arbitrary shell commands with the victim's privileges. Linux makes it harder to run executable machine code by mistake but that covers only part of the perimeter.
I don't like to see people hurt by using Windows, and also don't like to see people hurt by overconfidence.
It was a targeted Trojan that got into Valve and stole the source-code to Half-Life 2, right off the project lead's workstation. IIRC, it arrived via a bug in Outlook's message-preview facility.
FATMOUSE + YOU = FATMOUSE
The same "logic" can apply to an email telling the "ignorant end user" to buy a hammer and smash the hard drive.
The problem is getting them to do that.
That is the problem. The problem you have not addressed. The problem you have not addressed is how to get the "ignorant end user" to do that.
Simply saying that it can be done is as stupid as saying that an email could persuade an "ignorant end user" to smash his/her computer with a hammer.
Not when you're talking about spreading a trojan. The more steps needed, the more likely that the "ignorant end user" will do something wrong or remember something about not running untrusted crap on his/her computer.
"Trivial" in this context means:
#1. Not doing something such as patching so a worm can infect you.
#2. Doing one stupid thing such as clicking on an attachment you received via email.
The more steps that have to be followed, in a particular order, the less "trivial" it becomes to convince the "ignorant end user" to perform all those steps, in that particular order.
You can keep arguing that this is not so, but the statistics seem to contradict you. And I'm going to go with the statistics on this.
There were anti-viruses in the past, which wern't relying on the virus signature only, but were trying to detect new, unknown viruses too. Dr. Web was the one, but it seems they dropped this feature later (or at least not advertising it any more). Probaly it was not cost-effective than. Seems the time have come to revive this approach again. Of cause it's not easy, require very sofisticated statistical learning, bayesian networks or neural networks, may be even genetic algorithms and very good understanding of underlying OS, but it may have become cost-effective again.
Virus companies talk up scare, again. Why don't business users use a computer that don't get 'viruses'.
davecb5620@gmail.com
"A number of users .. cut and paste the URL .. the broswer was quickly re-directed .. and infected the user's PC with a key logger"
Why don't you advise the high-level executives to use a browser that don't install malware just by typing in a URL. The same goes for your Granny.
Recent Trojans - Very good social Engineering (Score:5, Interesting)
davecb5620@gmail.com
the OS is so crippled at the 'normal user' level that most applications fail to install correctly.
Unlike with Linux, where all applications fail to install as normal users? Oh sure, you can (usually) compile from source and install to ~/bin, but then you can get Windows apps (such as Eclipse) that you just unzip and drop into whatever folder you choose.
I am not aware of any system-wide installation service (eg rpm, deb, msi, etc) that doesn't require admin privs.
Are application developers largely concerned their application could weaken an end users' system? I think it's less so then a unix/unix like application developer...
Developers in general are clueless about security. Just a few days ago there was an article here about how many web apps are vulnerable to SQL injection attacks. To me, that is utterly unforgivable, and yet they are. There are far more developers writing software for Windows, so you are bound to have far more unsecure apps.
All executables are always executable in windows. Unix requires a permission to be applied to it before its allowed to execute.
Technically under Windows you have to have execute permission for the file in question. However, this is automatically granted to the creator/owner of the file, so it's something of a moot issue. Also, given that executable permission for a file on Linux is just a 'chmod +x $filename' away, I don't really see your point. It's a speed bump, nothing more; I've received email viruses that are in password protected zip files - you have to open the zip file, enter the password, then run the enclosed app, and yet they still spread. Do you really think having to perform the extra step of chmoding a file is going to stop the sort of person that will do that?
It's official. Most of you are morons.
I believe the article is talking about targetted industrial espionage, not spam slaves. Unless a target had control over a multi-gigabit backbone link, I can't see a spammer going to the effort of targetting specific machines, clusters, or users. In those cases there are admins monitoring traffic load and the spam would cause a surge in outoing SMTP/POP3 traffic and rapidly get traced. Companies with big pipes tend to have the infrastructure in place to monitor and maintain the hardware behind those pipes.
In short, I seriously doubt spam distribution would be the reason behind a targetted attack.
Targetted attacks would select an individual machine, cluster, or user because they contain or have access to resources the attacker wants. It could be source code, it could be credit card numbers, it could be internal business plans, or it could be some goof trying to stalk the cutie on the second floor.
The point is the expense of a targetted attack starts with the expense of identifying a target.
What reason does the attacker have for identifying the target?
i.e. What's the motive?
I do not fail; I succeed at finding out what does not work.
If you do, these email or IM bombs will not be able to root the system, or open firewall ports. At most the user's folder is busted, and once deleted and restored the machine is clean.
Lots of corps do this even with Win2k/XP.
Although Windows indeed has a crappy security track record, there is absolutely no reason to believe Linux and a lot of the software that people run on it is any better. The reason: you can't compare the security of one system with that of another, because you cannot rule out bias in the test. At best, you can make an educated guess.
And, last I checked, GNU/Linux distros didn't very much protect against social engineering and trojans.
Please correct me if I got my facts wrong.
In recent weeks I've seen a growing amount of spam with subjects that appear to be constructed with my interests in mind. At first I dismissed them, but there are now so many I am beginning to wonder if the spammers haven't been monitoring my e-mail or browsing history to help them construct subjects they know I'm more likely to notice / read.
Only boring people are ever bored.
I'm really puzzled why anyone continues to accept mail with executable attachments of any kind.
/etc/procmailrc file that scanned the message body for executable attachments.
.exe, etc.
When I first started fighting viruses and spam for my clients, the very first thing we did was block executable files at the mail server. This was in 1997 and required nothing more than a simple
Nowadays, of course, we have much more full-featured software like MailScanner to handle this. This isn't really rocket science, folks. 99+% of people in most organizations have no reason to receive an executable file; if they don't get them, they can't run them.
The new vector seems to be email with clickable links that redirect to an executable. One solution is obviously to install a browser like Firefox that won't run a downloaded file by default, but that still enables lusers to download the file to the desktop then run it. Our current solution for this problem is blocking executables with Squid. Push all web requests through the proxy transparently and block access to URLs ending in
I really don't understand why policies like these aren't SOP at all organizations, especially organizations large and wealthy enough to have executives worth targeting with malware.