Slashdot Mirror

← Back to Stories (view on slashdot.org)

Targeted Trojan Attacks Causing Concern

Posted by ryuzaki0 on from the with-your-name-on-it dept.

Bill Andad writes to point out a surprise trend emerging from the Virus Bulletin Conference 2006 in Montreal this week. From the article on Daniweb: "It is the smallest of Trojan attacks that are causing the biggest headache in the world of corporate security right now. By targeting individuals within individual companies with individually constructed infected messages, the new-age industrial spy is slipping under the security radar." News.com has more in-depth coverage.

6 of 77 comments (clear)

  1. The biggest danger are working business models by chriss · · Score: 4, Interesting

    We've seen a change of purpose in virus/trojan creation over the last years, from being a cracker or script kiddy ego thing to being the base of obviously lucrative spam distribution via cracked machines. The malware market has become more sophisticated, e.g. today malware usually will not crash a machine or cause any noticeable problems for the user, because the prime target is to use the machine as long as possible. So malware behavior is driven by business needs.

    Now any option to make money will attract someone, in the case of illegal business often organized crime, which operates very much like any other business, just without regulation and taxes. And one thing business usually does is looking for options to grow and extend into other markets.

    The spam distribution business seems just fine right now, and with more people getting online there is still some growth potential, but filters and trained users will limit that market. So if you switch from targeting the masses to individuals and specific companies you gain two things:

    1. Detection rate is much lower, since the development of anti malware tools today only works because the cost for the development is spread over a large number of users. Unless this can be somehow automated, effective protection will become very expensive and only affordable by larger business or people with sensitive data like the military.
    2. The revenue per customer will increase, since industrial espionage, blackmailing, insider training and other neat things available to those with the right data are much more profitable than a percentage in Viagra sales.

    So once again, this is not mainly a technical problem: As long as someone finds a way to make money with it, it will not go away, but only get worse. Your best option might be to make sure that your business model allows your data to simply be open, so stealing will not work. If you develop open source software, your source can not be stolen or destroyed. But make sure you have backups of your consulting customers list on separate media.

    --
    memomo: free web based language trainer DE-EN-ES-FR-IT
  2. Re:Get Ubuntu by QuantumG · · Score: 5, Insightful

    Also the african word for "many packages in our repository lack signatures but people install them anyway". Trojans are just as easy on linux as anywhere else.

    --
    How we know is more important than what we know.
  3. Not all that surprising by Jarjarthejedi · · Score: 4, Insightful

    Is it surprising at all that Social Engineering is the best way to get a virus in? I'm actually surprised this is even an article, of course the main problem companies are going to have is their employees clicking things they shouldn't...

    --
    There are two kinds of fool One says 'This is old therefore good' Another says 'This is new therefore better'- Dean Ing
  4. Re:Get Ubuntu by grcumb · · Score: 4, Insightful
    Also the african word for "many packages in our repository lack signatures but people install them anyway". Trojans are just as easy on linux as anywhere else.

    Bull:

    • All Ubuntu .deb packages available by default come from known sources. Adding untrusted repositories requires root privileges and visual warnings.
    • Installing software through apt-get (or synaptic or any of the other automated software installers) requires admin privileges.
    • Even a malicious script that surreptitiously runs
      dpkg -i nasty-payload
      is going to have a very hard time affecting the integrity of the system, let alone hiding from the user.
    • The default user mode is non-privileged. It's hard (though not impossible) for someone to run Ubuntu as root.

    If you wanted to make the point that there are just as many attack vectors in Ubuntu as elsewhere, go ahead. But the mere presence of an avenue of attack doesn't magically make it easy. Implying that Ubuntu is not inherently harder to compromise than Windows is prima facie wrong.

    --
    Crumb's Corollary: Never bring a knife to a bun fight.
  5. Wait for it... by chill · · Score: 5, Interesting

    I'm waiting for Vista to be release, with the uber-secure WGA. Some nice, innocuous little virus will be written that doesn't steal files, doesn't open a backdoor, and doesn't delete anything. This virus will screw up your WGA hash, and one fine spring day a few million PCs will report that they are pirated copies and start locking people out of their own software.

    That sound you will hear is a thousand Microsoft tech-support reps all crying out at once.

    --
    Learning HOW to think is more important than learning WHAT to think.
  6. Recent Trojans - Very good social Engineering by Anonymous Coward · · Score: 5, Interesting

    I work in the IT Security group for a Top 10 financial institution here in the US. Most of the social engineering attacks we see are quite clumsy, make me roll my eyes when I see them, and groan when I hear of people actually falling for them. However, a new wave bit not only us, but at least 5 other Top 10 institutions in our field.

    The social engineering portion was an emailed message, aimed to several high-level executives and other senior techincal staff by name. Messages were sent to us in perfectly gramatical non-stilted English. The plain text message was "personalized" (no skill there, but it did add to the overall credibility.) The messages came in with a reasonable subject line: "Request for Interview re: Recent Security Incidents".

    The actual email stated something to the effect that the sender was a journalist looking for comment on a newly published article in a trade magazine alledging a security breach at our institution. The "sender" invited the recipient to contact him (by telephone) to comment on the story for a follow-up. He ended the message by including the URL (but not a clickable link) to the original article making the allegations.

    Well, that did it. A number of users, wishing to read the allegations cut and paste the URL. As you might guess, the site itself had been hi-jacked, so the broswer was quickly re-directed to another site, explotited the most recent unpatched IE vulnerability and infected the user's PC with a key logger. The only reason this got caught quickly was that in some cases the user's IE session crashed, giving a hint that something might have happened. THe other giveaway was tha in addition to the key logger, something else got loaded with more obvious side-effects.

    Of course, in retrospect it was pretty obvious, and in telling the story, it seems like S.E., but I had to admit it would have fooled me if I had been the first to recieve the message. (Probably would not have been infected due to my use of low privilidges, but I would have followed the URL). It passed the sniff test: Standard American English, a reference (and URL) to a trade magazine specific to my industry and field (Banking & IT), it included a phone number (of course a fake), and was in the exact tone you would expect from a legit journalist --- nothing loud or sensational, just a message that an allegation has been raised, would you care to respond.

    My lesson: a little more empathy for the non-professionals who get bitten by other social engineering attacks. Yes, they SHOULD know better, but if I (in all modesty) could be fooled, what chance does my unsophisticated, trusting Granny have?