Targeted Malware Attacks on the Rise Says F-Secure

By Larry Seltzer  |  Posted 2009-04-30 Print this article Print

OPINION: What does a targeted attack look like? A good one looks like the documents you read all day long.

You read a lot about "limited, targeted attacks" in news about vulnerabilities. It means that attacks using the vulnerability have been observed in the wild very, very few times, like you could count them on one hand. These are usually very high-quality attacks, not the usual garbage you pick right up on.

How good are they? Check out this blog from F-Secure to see how good. It contains screen shot examples of targeted attacks it has observed in the wild. I've seen a few over the years provided by other sources and these seem right in line with those.

They all look like respectable business documents. In many cases, they are customized to the company being targeted. Here, in a broad sense, is how they go about it: Drill through the company's Website to learn anything you can about the names of executives. Read the Wall Street Journal and other business publications and just Google around to learn more about them. Often you can find out, perhaps from case studies, what products they use. Look at their help wanted ads (not as many of those as there were a year ago, but you can find them) because these will also often list software products the company uses. Check support forums at major software company sites because that will also often divulge not just products, but versions of products that they are using.

In fact, look at the ideas above and you might get the impression that insiders, either at the company itself or at support organizations, are responsible for some of these attacks. You probably can't prove it, but it makes sense. We hear all the time about how people will sell their password for a chocolate bar; if someone offered $50 for the details of product versions in use at the company, perhaps even some innocuous business documents, I'm sure lots of people would take it. Not that there's all too much to learn; as F-Secure says, almost all of these documents are in the old Office formats (DOC, XLS, PPT) or PDF, meaning that even without checking at all your odds of a hit are very high.

Even just with some vice president names pulled off the Website and other publicly available documents you can construct documents like those in the F-Secure blog. Armed with this and a true zero-day attack and I imagine the odds that you can get someone to read the document on their business PC are high, and then you're in. But as we know, lots of companies are slow to update software, so a PDF vulnerability from a few months ago also gives you good odds of penetration. You've compromised the company inside the network. If the company gives Administrator privileges to their users, too often the case, then you have complete control over the system. You can install software, disable security software, search for the really sensitive documents, and begin to attack the other systems from the privileged comfort of your victim's PC.

What's the lesson of all this? Part of the lesson is that standard business practices are not enough and that a determined and talented attacker can get through almost any set of defenses. It's also an argument, in a way, for DLP (Data Loss Prevention), because (if it works as intended) that's one way to detect a compromised PC when they try to e-mail confidential documents out of the network.

DLP is a neat idea and I'm all for it once someone shows me that it really works, but I think the biggest lesson of this is that you need to do the things that you know you can: patch known vulnerabilities quickly, adopt newer and more secure versions of programs such as Office, and run users with least-privileged access. None of these will guarantee that targeted attacks can't get through, but they will thwart the large majority of them.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel