[ISN] Laser targeting by hackers

From: InfoSec News (alerts@private)
Date: Mon May 21 2007 - 22:35:39 PDT


http://www.gcn.com/online/vol1_no1/44317-1.html

By William Jackson
05/21/07

A new batch of reports on malicious code are out, and the news just 
keeps getting worse. Hackers continue to come up with new and better 
schemes for getting past our defenses.

Internet security service provider MessageLabs uncovered some 
interesting trends in its report on online threats for March. Not only 
did the number of targeted attacks go up, but the attacks are becoming 
more narrowly targeted.

By a wide margin, the most common of the 249 low-volume, high-value 
attacks identified by the company consisted of a single e-mail sent to 
one person. Nearly one quarter of the individuals targeted were in 
government, and that sector was the most commonly targeted by these 
attacks, by a two-to-one margin. The electronics, aviation, retail, 
communications and finance sectors rounded out the top tier of targets.

The bad guys know which organizations have data worth stealing and are 
picking them out one by one, said MessageLabs senior anti-virus 
technologist Alex Shipp.

That does not mean that the more widely broadcast attacks are 
disappearing. To get their malware past antivirus engines, some hackers 
are employing what Commtouch Software calls polymorphic distribution 
patterns. Thats a polysyllabic way of saying that hackers are generating 
a large number of distinct variants of a worm or virus and releasing 
them in short, intense bursts. This creates many zero-day exploits, 
increasing the chances of getting them past defenses before new 
signatures can be developed.

During the peak early in the quarter, the Storm/Nuwar malware released 
over 7,000 variants in a single day, Commtouch reported.

Instant-messaging and peer-to-peer networks also continue to be 
attractive vectors for malware. Akonix Systems reported 38 distinct new 
attacks on IM networks in April, the first monthly increase in the 
number of new IM attacks this year. Attacks on peer-to-peer networks 
such as Kazaa and eDonkey were also up, with 36 new attacks identified 
last month. Because IM and P2P often operate outside an enterprises 
accepted-use policy, these applications can provide undefended rogue 
connections that can be exploited by attackers.

Social engineering remains a popular tool for slipping past defenses. 
Commtouch reported subject lines on malicious e-mail such as First 
nuclear act of terrorism! to entice the unwitting recipient to open and 
click. If sensationalism isnt your cup of tea, there is always the more 
tender a bouquet of love, popular around Valentines Day. Hey, if it 
worked with the I love you virus, why not give it another shot?

The targeted, single-recipient e-mail is another form of social 
engineering. Although the volume of these is necessarily low, the 
rewards are potentially greater. A carefully tailored e-mail has a 
better chance of getting the intended recipients attention, they are 
harder for filters to spot and block, and the targeted network is likely 
to contain data worth stealing.

MessageLabs also found that the favored tool for delivering the 
malicious code in targeted e-mails has shifted recently. Microsoft 
PowerPoint files were the most common vector for delivering code in 
March, edging out MS Word, with 45 percent of infected attachments being 
.ppt files. Malicious attachments with .doc files accounted for 35 
percent of the payloads, and .exe files were only 15 percent.

This spike in the use of PowerPoint could be an anomaly. It apparently 
was driven by a single gang with an IP address in Taiwan that used the 
same attack file repeatedly because it had not been identified and 
blocked by antivirus companies.

But, anomaly or not, the increasing use of PowerPoint to deliver malware 
to government recipients could have unintended beneficial consequences. 
Just imagine the burst of productivity in government offices if agencies 
banned the use of PowerPoint. I know it is not likely to happen, but we 
can dream.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon May 21 2007 - 22:45:28 PDT