Targeted Trojan Attacks Causing Concern

Bill Andad writes to point out a surprise trend emerging from the Virus Bulletin Conference 2006 in Montreal this week. From the article on Daniweb: "It is the smallest of Trojan attacks that are causing the biggest headache in the world of corporate security right now. By targeting individuals within individual companies with individually constructed infected messages, the new-age industrial spy is slipping under the security radar." News.com has more in-depth coverage.

The biggest danger are working business models

[chriss]

We've seen a change of purpose in virus/trojan creation over the last years, from being a cracker or script kiddy ego thing to being the base of obviously lucrative spam distribution via cracked machines. The malware market has become more sophisticated, e.g. today malware usually will not crash a machine or cause any noticeable problems for the user, because the prime target is to use the machine as long as possible. So malware behavior is driven by business needs.

Now any option to make money will attract someone, in the case of illegal business often organized crime, which operates very much like any other business, just without regulation and taxes. And one thing business usually does is looking for options to grow and extend into other markets.

The spam distribution business seems just fine right now, and with more people getting online there is still some growth potential, but filters and trained users will limit that market. So if you switch from targeting the masses to individuals and specific companies you gain two things:

1. Detection rate is much lower, since the development of anti malware tools today only works because the cost for the development is spread over a large number of users. Unless this can be somehow automated, effective protection will become very expensive and only affordable by larger business or people with sensitive data like the military.
2. The revenue per customer will increase, since industrial espionage, blackmailing, insider training and other neat things available to those with the right data are much more profitable than a percentage in Viagra sales.

So once again, this is not mainly a technical problem: As long as someone finds a way to make money with it, it will not go away, but only get worse. Your best option might be to make sure that your business model allows your data to simply be open, so stealing will not work. If you develop open source software, your source can not be stolen or destroyed. But make sure you have backups of your consulting customers list on separate media.

The cost of researching a victim seems high ...

[__aadkms7016]

As a business proposition, the cost of researching a victim seems high in lots of ways -- it's not work for a dummy, it takes time, and the hits have to pay for all of the misses. At the very least, it has to use "mass customization" to succeed -- software that customizes a con to a victim in non-trivial ways. But yet if they go that route, it becomes easier to fight it with conventional spam and phishing tools, because software can spot the "mass" part.

Re:Get Ubuntu

[drsmithy]

*All Ubuntu .deb packages available by default come from known sources. Adding untrusted repositories requires root privileges and visual warnings.
* Installing software through apt-get (or synaptic or any of the other automated software installers) requires admin privileges.

Why do people think "requires admin privileges" is any sort of significant barrier on unmanaged, typically single-user systems ?

[...] is going to have a very hard time affecting the integrity of the system, let alone hiding from the user.

The best place to hide is in full view. Or did you miss the whole definition and point of a 'trojan horse' ?

The default user mode is non-privileged. It's hard (though not impossible) for someone to run Ubuntu as root.

It's trivial. Every time you go 'sudo blah', 'blah' is running as root.

Wait for it...

[chill]

I'm waiting for Vista to be release, with the uber-secure WGA. Some nice, innocuous little virus will be written that doesn't steal files, doesn't open a backdoor, and doesn't delete anything. This virus will screw up your WGA hash, and one fine spring day a few million PCs will report that they are pirated copies and start locking people out of their own software.

That sound you will hear is a thousand Microsoft tech-support reps all crying out at once.

Recent Trojans - Very good social Engineering

[Anonymous Coward]

I work in the IT Security group for a Top 10 financial institution here in the US. Most of the social engineering attacks we see are quite clumsy, make me roll my eyes when I see them, and groan when I hear of people actually falling for them. However, a new wave bit not only us, but at least 5 other Top 10 institutions in our field.

The social engineering portion was an emailed message, aimed to several high-level executives and other senior techincal staff by name. Messages were sent to us in perfectly gramatical non-stilted English. The plain text message was "personalized" (no skill there, but it did add to the overall credibility.) The messages came in with a reasonable subject line: "Request for Interview re: Recent Security Incidents".

The actual email stated something to the effect that the sender was a journalist looking for comment on a newly published article in a trade magazine alledging a security breach at our institution. The "sender" invited the recipient to contact him (by telephone) to comment on the story for a follow-up. He ended the message by including the URL (but not a clickable link) to the original article making the allegations.

Well, that did it. A number of users, wishing to read the allegations cut and paste the URL. As you might guess, the site itself had been hi-jacked, so the broswer was quickly re-directed to another site, explotited the most recent unpatched IE vulnerability and infected the user's PC with a key logger. The only reason this got caught quickly was that in some cases the user's IE session crashed, giving a hint that something might have happened. THe other giveaway was tha in addition to the key logger, something else got loaded with more obvious side-effects.

Of course, in retrospect it was pretty obvious, and in telling the story, it seems like S.E., but I had to admit it would have fooled me if I had been the first to recieve the message. (Probably would not have been infected due to my use of low privilidges, but I would have followed the URL). It passed the sniff test: Standard American English, a reference (and URL) to a trade magazine specific to my industry and field (Banking & IT), it included a phone number (of course a fake), and was in the exact tone you would expect from a legit journalist --- nothing loud or sensational, just a message that an allegation has been raised, would you care to respond.

My lesson: a little more empathy for the non-professionals who get bitten by other social engineering attacks. Yes, they SHOULD know better, but if I (in all modesty) could be fooled, what chance does my unsophisticated, trusting Granny have?

What are you talking about?

[khasim]

With su you're required to enter the root password every time whereas, with sudo, you're only required to enter the users password and only once for a given period of time.

What the fuck?

No, with "su", you're running as root until you type "exit". There is no time limit or command limit on "su".

As such, a program that injects code into the user's shell can easily skip to root.

What? How? Go ahead. Infect my computer. It's running Edgy so I'm sure there are lots of holes still in it.

Go ahead. Do it.

Oh, you can't? Well I guess that your claims aren't factual.

I know, I've written code to do it. That's without taking advantage of any suid binaries or services running as root or kernel bugs to get root.

Great. The infect my machine. Go ahead.

Writing a program such as that is not difficult. The difficult part is getting it running on my machine. Or anyone else's machine.

Getting root from a trojan running on a user account is not hard.

Then do it.

I'm saying that it is hard. And with Ubuntu, it's practically impossible.

Besides which, who gives a shit about root? A trojan doesn't need root to copy confidential data from a user's home directory.

Don't try to sidetrack this. Your claim was that you can get root, easily. No, you cannot. Here, I'll make it as easy as you're ever going to get. My email address is linked to my 'nym. I'm running a fairly vanilla Edgy on Intel. No anti-virus at all.

It doesn't need root to open a socket and send that information back home.

Yes, it does.

It doesn't need root to modify or delete important files. It doesn't need root to hijack mail programs and send emails as the targetted user. This obsession with root by people who think they understand security is troubling.

I am in that category. You have my email address. You know the OS, mail program and hardware platform.

If you cannot get a trojan on my machine, you cannot do what you've claimed.

Therefore, it is you who does not understand security.

Back to ... introduced anyways.

Again, you cannot crack my computer. You do not know what you're talking about.

You're absolutely right that it is easier to get a chump to run an arbitary exe on windows - just fake mail them an attachment and say "this is so funny" and they'll run it. But how much harder is it to get thousands and thousands of people to run a trojan on linux than it is on windows?

Well, you've claimed that it is easy.

Your inability to prove that claim on my machine shows that it is not as easy as you would like others to believe.

Here's a free security clue. Cracking your own machine is nothing. If the crack is not spreading faster than it is being removed, it will "die" in "the wild".

Re:The biggest danger are working business models

[frenetic3]

well, one way to look at it is in general a lot of shellcode relies on downloading/dumping an executable file somewhere and running it; this would be blocked (the new exe would drop, but you couldn't run it), even if you're able to blow up winword.exe. yeah you could cram a bunch of executable code into the document, fine, but then that code would have to modify something/overwrite a system file (which would get blocked), or write a new exe on the disk (blocked on attempted execute) if they wanted something to stay resident beyond that instance of winword.exe.

to the pedants: fine, you might be able to contrive some rube goldbergesque way to get past it, but today most most companies are getting screwed by trivial vulnerabilities. put another way, if you had an adversary that had the resources ($) and motive to craft a malformed document that was customized to be able to jump through all of the hoops needed (no overwriting system files or writing new exes), they could probably just pay off the secretary or janitor and/or physically break in and steal the info they needed :)

in general, it's very effective against the vast majority of malware that is commonly encountered.

-d

They did it to Valve

[inviolet]

It was a targeted Trojan that got into Valve and stole the source-code to Half-Life 2, right off the project lead's workstation. IIRC, it arrived via a bug in Outlook's message-preview facility.