Slashdot Mirror
Targeted Trojan Attacks Causing Concern
Bill Andad writes to point out a surprise trend emerging from the Virus Bulletin Conference 2006 in Montreal this week. From the article on Daniweb: "It is the smallest of Trojan attacks that are causing the biggest headache in the world of corporate security right now. By targeting individuals within individual companies with individually constructed infected messages, the new-age industrial spy is slipping under the security radar." News.com has more in-depth coverage.
We've seen a change of purpose in virus/trojan creation over the last years, from being a cracker or script kiddy ego thing to being the base of obviously lucrative spam distribution via cracked machines. The malware market has become more sophisticated, e.g. today malware usually will not crash a machine or cause any noticeable problems for the user, because the prime target is to use the machine as long as possible. So malware behavior is driven by business needs.
Now any option to make money will attract someone, in the case of illegal business often organized crime, which operates very much like any other business, just without regulation and taxes. And one thing business usually does is looking for options to grow and extend into other markets.
The spam distribution business seems just fine right now, and with more people getting online there is still some growth potential, but filters and trained users will limit that market. So if you switch from targeting the masses to individuals and specific companies you gain two things:
So once again, this is not mainly a technical problem: As long as someone finds a way to make money with it, it will not go away, but only get worse. Your best option might be to make sure that your business model allows your data to simply be open, so stealing will not work. If you develop open source software, your source can not be stolen or destroyed. But make sure you have backups of your consulting customers list on separate media.
memomo: free web based language trainer DE-EN-ES-FR-IT
My work PC has been hit by trojans twice within a couple of weeks. I'm new there, so it looks bad anyway. Also, I'm as competent as most /. users, so I was shocked I got virused twice because I'm careful, especially at work. I'm an accountant so I don't have a say in the IT nor do I care to. My boss had to bring in external guys to fix the first virus, then the second one happened and he decided to reinstall everything anyway. Cost time and money.
This is the obvious evolution in organized crime via hacking. If you could infect the marketing dept of several companies directly by doing a little old fashion PI work (or looking at the company directory), you will have access to both typically non-technical people and people that have access to what is about to be spun from a company. So do some "insider" trading on that.
Ask a legitimate question and get a response. You're now whitelisted. Send them a document related to your question that happens to carry your trojan. You can now, at least, impersonate them on the network/read their mail/send mail on their behalf.
It's a crappy way to develop a bot net but it's a good way to get very specific espionage capabilites.
Why hasn't this been exposed in the past, I'm sure it's been going on for quite some time.
Also the african word for "many packages in our repository lack signatures but people install them anyway". Trojans are just as easy on linux as anywhere else.
How we know is more important than what we know.
When will you start mentioning WINDOWS where appropriate? This problem is created and perpetuated by junk from MS.
you had me at #!
This is a disturbing trend; in the anonymous information age, trust is the only way to guarantee security. Prediction: anticipate alot more 'orwellian' security implementations, retina, fingerprint etc. to ensure traceable DNA identification of infiltrators from within organization who spread virii or covert trojan operations. This is why Open Source is the future, in a closed source project/organization, only those who have the knowledge can perceive compromisation, but with Open Source software the world communtiy of geeks can verify that code is secure. Similarly, a more open trust based corporate model might better deter trojan aggressors.
Learn to know, the dark side of the force, and you will achieve a power greater than any Jedi...the power to save your w
Is it surprising at all that Social Engineering is the best way to get a virus in? I'm actually surprised this is even an article, of course the main problem companies are going to have is their employees clicking things they shouldn't...
There are two kinds of fool One says 'This is old therefore good' Another says 'This is new therefore better'- Dean Ing
And I always thought ubuntu was the ancient african word for "Wanted Linux, but refuse to RTFM in order to install Gentoo."
Navicula hydraulica plena anguilarum est. Omnes castelli tuus nostri sunt. Ed elli avea del cul fatto trombetta.
As a business proposition, the cost of researching a victim seems high in lots of ways -- it's not work for a dummy, it takes time, and the hits have to pay for all of the misses. At the very least, it has to use "mass customization" to succeed -- software that customizes a con to a victim in non-trivial ways. But yet if they go that route, it becomes easier to fight it with conventional spam and phishing tools, because software can spot the "mass" part.
Bull:
If you wanted to make the point that there are just as many attack vectors in Ubuntu as elsewhere, go ahead. But the mere presence of an avenue of attack doesn't magically make it easy. Implying that Ubuntu is not inherently harder to compromise than Windows is prima facie wrong.
Crumb's Corollary: Never bring a knife to a bun fight.
*All Ubuntu .deb packages available by default come from known sources. Adding untrusted repositories requires root privileges and visual warnings.
* Installing software through apt-get (or synaptic or any of the other automated software installers) requires admin privileges.
Why do people think "requires admin privileges" is any sort of significant barrier on unmanaged, typically single-user systems ?
[...] is going to have a very hard time affecting the integrity of the system, let alone hiding from the user.
The best place to hide is in full view. Or did you miss the whole definition and point of a 'trojan horse' ?
The default user mode is non-privileged. It's hard (though not impossible) for someone to run Ubuntu as root.
It's trivial. Every time you go 'sudo blah', 'blah' is running as root.
I'm waiting for Vista to be release, with the uber-secure WGA. Some nice, innocuous little virus will be written that doesn't steal files, doesn't open a backdoor, and doesn't delete anything. This virus will screw up your WGA hash, and one fine spring day a few million PCs will report that they are pirated copies and start locking people out of their own software.
That sound you will hear is a thousand Microsoft tech-support reps all crying out at once.
Learning HOW to think is more important than learning WHAT to think.
none of this relevant to trojans. A trojan is, by definition, something the user wants to run. The fact that most linux users don't run untrusted programs in a "jail" is much the same as the fact that most windows users don't do that either. It's sad, but it's a user education problem, and we're typically not good at solving those. Ubuntu users are encouraged to use "sudo" instead of "su" to run programs as root. sudo allows a permitted user to execute a command as the superuser or another user, but how many people actually use sudo to execute a command as anyone but root? sudo -u nobody ./random-email-attachment who does that? no-one.
How we know is more important than what we know.
I work in the IT Security group for a Top 10 financial institution here in the US. Most of the social engineering attacks we see are quite clumsy, make me roll my eyes when I see them, and groan when I hear of people actually falling for them. However, a new wave bit not only us, but at least 5 other Top 10 institutions in our field.
The social engineering portion was an emailed message, aimed to several high-level executives and other senior techincal staff by name. Messages were sent to us in perfectly gramatical non-stilted English. The plain text message was "personalized" (no skill there, but it did add to the overall credibility.) The messages came in with a reasonable subject line: "Request for Interview re: Recent Security Incidents".
The actual email stated something to the effect that the sender was a journalist looking for comment on a newly published article in a trade magazine alledging a security breach at our institution. The "sender" invited the recipient to contact him (by telephone) to comment on the story for a follow-up. He ended the message by including the URL (but not a clickable link) to the original article making the allegations.
Well, that did it. A number of users, wishing to read the allegations cut and paste the URL. As you might guess, the site itself had been hi-jacked, so the broswer was quickly re-directed to another site, explotited the most recent unpatched IE vulnerability and infected the user's PC with a key logger. The only reason this got caught quickly was that in some cases the user's IE session crashed, giving a hint that something might have happened. THe other giveaway was tha in addition to the key logger, something else got loaded with more obvious side-effects.
Of course, in retrospect it was pretty obvious, and in telling the story, it seems like S.E., but I had to admit it would have fooled me if I had been the first to recieve the message. (Probably would not have been infected due to my use of low privilidges, but I would have followed the URL). It passed the sniff test: Standard American English, a reference (and URL) to a trade magazine specific to my industry and field (Banking & IT), it included a phone number (of course a fake), and was in the exact tone you would expect from a legit journalist --- nothing loud or sensational, just a message that an allegation has been raised, would you care to respond.
My lesson: a little more empathy for the non-professionals who get bitten by other social engineering attacks. Yes, they SHOULD know better, but if I (in all modesty) could be fooled, what chance does my unsophisticated, trusting Granny have?
LULZ
oh, indeed. The main reason your anti-virus software is pointless.
If a piece of malicious software is well known enough for your anti-virus company to know about it, then a patch for the issue will be out very soon. Anti-virus software will only protect you from script kiddies and not someone that actually would have a good reason to steal your data. i.e your competition.
...and that is all I have to say about that.
http://jessta.id.au
but how many people actually use sudo to execute a command as anyone but root? sudo -u nobody ./random-email-attachment who does that? no-one.
Because it isn't easy.
If this were an itch I was prepared to scratch, I would look into creating a static image of a virtual-machine that could be used just for running questionable stuff. Then I would look at putting hooks into programs like thunderbird that would make it automagically invoke the VM for attachments.
Beyond the integration into regularly used applications, the main problems to overcome mainly deal with when to allow the VM to do i/o to files outside of the VM (i.e. legitimate stuff) versus when to keep all activity completely "locked up" in the VM (i.e. unexpected/undesirable behavior). Since the image is static, maybe all I/O would just be within the VM and then when the VM exits, have something compare the final state of the VM with the static image and any changes to in approved areas could be copied out, while all other changes are thrown to the window once it reverts back to the original static image.
When information is power, privacy is freedom.
What the fuck?
No, with "su", you're running as root until you type "exit". There is no time limit or command limit on "su".
What? How? Go ahead. Infect my computer. It's running Edgy so I'm sure there are lots of holes still in it.
Go ahead. Do it.
Oh, you can't? Well I guess that your claims aren't factual.
Great. The infect my machine. Go ahead.
Writing a program such as that is not difficult. The difficult part is getting it running on my machine. Or anyone else's machine.
Then do it.
I'm saying that it is hard. And with Ubuntu, it's practically impossible.
Don't try to sidetrack this. Your claim was that you can get root, easily. No, you cannot. Here, I'll make it as easy as you're ever going to get. My email address is linked to my 'nym. I'm running a fairly vanilla Edgy on Intel. No anti-virus at all.
Yes, it does.
I am in that category. You have my email address. You know the OS, mail program and hardware platform.
If you cannot get a trojan on my machine, you cannot do what you've claimed.
Therefore, it is you who does not understand security.
Again, you cannot crack my computer. You do not know what you're talking about.
Well, you've claimed that it is easy.
Your inability to prove that claim on my machine shows that it is not as easy as you would like others to believe.
Here's a free security clue. Cracking your own machine is nothing. If the crack is not spreading faster than it is being removed, it will "die" in "the wild".
It was a targeted Trojan that got into Valve and stole the source-code to Half-Life 2, right off the project lead's workstation. IIRC, it arrived via a bug in Outlook's message-preview facility.
FATMOUSE + YOU = FATMOUSE