Targeted Trojan Attacks Causing Concern 77
Bill Andad writes to point out a surprise trend emerging from the Virus Bulletin Conference 2006 in Montreal this week. From the article on Daniweb: "It is the smallest of Trojan attacks that are causing the biggest headache in the world of corporate security right now. By targeting individuals within individual companies with individually constructed infected messages, the new-age industrial spy is slipping under the security radar." News.com has more in-depth coverage.
The biggest danger are working business models (Score:5, Interesting)
We've seen a change of purpose in virus/trojan creation over the last years, from being a cracker or script kiddy ego thing to being the base of obviously lucrative spam distribution via cracked machines. The malware market has become more sophisticated, e.g. today malware usually will not crash a machine or cause any noticeable problems for the user, because the prime target is to use the machine as long as possible. So malware behavior is driven by business needs.
Now any option to make money will attract someone, in the case of illegal business often organized crime, which operates very much like any other business, just without regulation and taxes. And one thing business usually does is looking for options to grow and extend into other markets.
The spam distribution business seems just fine right now, and with more people getting online there is still some growth potential, but filters and trained users will limit that market. So if you switch from targeting the masses to individuals and specific companies you gain two things:
So once again, this is not mainly a technical problem: As long as someone finds a way to make money with it, it will not go away, but only get worse. Your best option might be to make sure that your business model allows your data to simply be open, so stealing will not work. If you develop open source software, your source can not be stolen or destroyed. But make sure you have backups of your consulting customers list on separate media.
The cost of researching a victim seems high ... (Score:4, Interesting)
Re:Get Ubuntu (Score:3, Interesting)
*All Ubuntu .deb packages available by default come from known sources. Adding untrusted repositories requires root privileges and visual warnings.
* Installing software through apt-get (or synaptic or any of the other automated software installers) requires admin privileges.
Why do people think "requires admin privileges" is any sort of significant barrier on unmanaged, typically single-user systems ?
[...] is going to have a very hard time affecting the integrity of the system, let alone hiding from the user.
The best place to hide is in full view. Or did you miss the whole definition and point of a 'trojan horse' ?
The default user mode is non-privileged. It's hard (though not impossible) for someone to run Ubuntu as root.
It's trivial. Every time you go 'sudo blah', 'blah' is running as root.
Wait for it... (Score:5, Interesting)
That sound you will hear is a thousand Microsoft tech-support reps all crying out at once.
Recent Trojans - Very good social Engineering (Score:5, Interesting)
The social engineering portion was an emailed message, aimed to several high-level executives and other senior techincal staff by name. Messages were sent to us in perfectly gramatical non-stilted English. The plain text message was "personalized" (no skill there, but it did add to the overall credibility.) The messages came in with a reasonable subject line: "Request for Interview re: Recent Security Incidents".
The actual email stated something to the effect that the sender was a journalist looking for comment on a newly published article in a trade magazine alledging a security breach at our institution. The "sender" invited the recipient to contact him (by telephone) to comment on the story for a follow-up. He ended the message by including the URL (but not a clickable link) to the original article making the allegations.
Well, that did it. A number of users, wishing to read the allegations cut and paste the URL. As you might guess, the site itself had been hi-jacked, so the broswer was quickly re-directed to another site, explotited the most recent unpatched IE vulnerability and infected the user's PC with a key logger. The only reason this got caught quickly was that in some cases the user's IE session crashed, giving a hint that something might have happened. THe other giveaway was tha in addition to the key logger, something else got loaded with more obvious side-effects.
Of course, in retrospect it was pretty obvious, and in telling the story, it seems like S.E., but I had to admit it would have fooled me if I had been the first to recieve the message. (Probably would not have been infected due to my use of low privilidges, but I would have followed the URL). It passed the sniff test: Standard American English, a reference (and URL) to a trade magazine specific to my industry and field (Banking & IT), it included a phone number (of course a fake), and was in the exact tone you would expect from a legit journalist --- nothing loud or sensational, just a message that an allegation has been raised, would you care to respond.
My lesson: a little more empathy for the non-professionals who get bitten by other social engineering attacks. Yes, they SHOULD know better, but if I (in all modesty) could be fooled, what chance does my unsophisticated, trusting Granny have?
What are you talking about? (Score:3, Interesting)
What the fuck?
No, with "su", you're running as root until you type "exit". There is no time limit or command limit on "su".
What? How? Go ahead. Infect my computer. It's running Edgy so I'm sure there are lots of holes still in it.
Go ahead. Do it.
Oh, you can't? Well I guess that your claims aren't factual.
Great. The infect my machine. Go ahead.
Writing a program such as that is not difficult. The difficult part is getting it running on my machine. Or anyone else's machine.
Then do it.
I'm saying that it is hard. And with Ubuntu, it's practically impossible.
Don't try to sidetrack this. Your claim was that you can get root, easily. No, you cannot. Here, I'll make it as easy as you're ever going to get. My email address is linked to my 'nym. I'm running a fairly vanilla Edgy on Intel. No anti-virus at all.
Yes, it does.
I am in that category. You have my email address. You know the OS, mail program and hardware platform.
If you cannot get a trojan on my machine, you cannot do what you've claimed.
Therefore, it is you who does not understand security.
Again, you cannot crack my computer. You do not know what you're talking about.
Well, you've claimed that it is easy.
Your inability to prove that claim on my machine shows that it is not as easy as you would like others to believe.
Here's a free security clue. Cracking your own machine is nothing. If the crack is not spreading faster than it is being removed, it will "die" in "the wild".
Re:The biggest danger are working business models (Score:3, Interesting)
to the pedants: fine, you might be able to contrive some rube goldbergesque way to get past it, but today most most companies are getting screwed by trivial vulnerabilities. put another way, if you had an adversary that had the resources ($) and motive to craft a malformed document that was customized to be able to jump through all of the hoops needed (no overwriting system files or writing new exes), they could probably just pay off the secretary or janitor and/or physically break in and steal the info they needed
in general, it's very effective against the vast majority of malware that is commonly encountered.
-d
They did it to Valve (Score:4, Interesting)