Trend Micro Targeted Attacks

  • Upload
    gynx

  • View
    215

  • Download
    0

Embed Size (px)

Citation preview

  • 8/9/2019 Trend Micro Targeted Attacks

    1/2

    >> TREND MICRO: TARGETED ATTACKS

    Copyright 2006 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the t-ball logo are trademarks or registeredtrademarks of Trend Micro, Incorporated. TrendLabs is a service mark of Trend Micro, Incorporated. All other company and/or

    product names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change

    without notice.

    Targeted AttacksThe story of a real-life attack illustrates that it's a lot easier than most people realizefor a determined attacker to wreak havoc, especially when the targeted systemsaren't fully preparedA Special Report by Dave Chappelle for Trend Micro

    A criminal or group of criminals sent an email inviting recipients to visit a Web site (Step 1). Somerecipients chose to visit that Web site (Step 2). Unbeknownst to the Web site visitors, their computers

    were infected with downloaders (Step 3). Once the downloaders were installed, the criminals had aconduit allowing them to listen to traffic over whatever network the infected computers were connected to.

    They really dont need control of an entire network; they only need a way to gather or modifyinformation, and it only takes one compromised computer for that to happen, said Jamz Yaneza.

    They look for spreadsheets, find a few numbers, and add a few zeroes. If this was a bank, they couldgo in and add a few zeros to their own account balances. With that approach, it doesnt look like thework of a criminal organization, but like that of a very bad employee.

    This story actually took place. The event likely originated as an email with a link to a Web site thatcontained some malicious code. In one case an employee in a specific company in Malaysia visitedsuch a Web site and clicked on a link, which triggered a downloader that dropped files on the

    unknowing employees computer.

    If up-to-date antivirus had been installed on the employees computer, a downloader would have beendetected. But that wasnt the case here. The specific company was only using a particular product, nota security suite or appliance. There was no blocking at the gateway. There werent multiple layers ofprotection, and the employees specific company was now under the control of whoever owned themalicious Web site.

    The initial downloader had a random character generator, said Jamz. Every time it went to that Website, new parameters were used at the end of the link, so that when the parameter changed, the typeof download also changed.

    There was a program running on the Web site that used input supplied by the downloader to determine

    the type of file that would be downloaded.

    We saw downloaders, backdoors, spyware; it changed every time, said Jamz.

    It was so malware cloak-and-dagger; a feint within a feint within a feint. It was difficult to defeat,because every time there was a new download, there was a higher probability it wouldnt be detected,because it was new, and often encrypted.

    > TREND MICRO: TARGETED ATTACKS

  • 8/9/2019 Trend Micro Targeted Attacks

    2/2

    >> TREND MICRO: TARGETED ATTACKS

    Copyright 2006 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the t-ball logo are trademarks or registeredtrademarks of Trend Micro, Incorporated. TrendLabs is a service mark of Trend Micro, Incorporated. All other company and/or

    product names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change

    without notice.

    These types of standard threats can be prevented with the ability to scan packets coming thru Port 80,your browser (http) port. A firewall wouldnt have stopped this attack, as firewalls are usually set toallow browsers access to web pages.

    Its difficult for ecommerce to block web access, because everybody needs to surf, said Yaneza.

    While the victims in Malaysia viewed this as a targeted attack, it wasnt. A few unprotectedorganizations in other countries also experienced the same attack.

    A targeted attack is neither dependent on the size of nor number of potential victims. A virus such asBlaster was a targeted attack that flooded the Microsoft.com update center. But Blaster had nofinancial gain.

    When an attack is targeted at a certain audience, the scope can be huge or small, depending on thenumber of potential victims. Aiming a threat at Citibank, Amazon, or PayPal customers would providea very big group of potential victims. But if it were a local bank, say Rural Bank of Whatever County, itwould only be a few hundred people.

    The attack success rate increases proportionately with the size of the company or industry beingtargeted. If more people are targeted, its likely more will be tempted to open an email or click on a

    link.

    The components of a targeted attack are not l imited by any single technique. A targeted attack cangather passwords. It can be done once, by moving huge sums to an offshore bank account; or slowly,in small amounts. SoBig came in as a worm, and dropped a backdoor that terminated itself after a fewdays. That is an example of malware having a timed limitation on activity.

    An attacker must determine the goal of an attack before launching it: Target acquisition, (Step 3); datatransmission or modification (Step 4); and entrenchment or self-termination (Step 5).

    How long will that attack go on? Is the desired result a regular income stream or a lump sum? After thegoal has been achieved, the attackers exit strategy can be to delete the payload and disappear.

    To protect yourself from targeted and broad-based attacks, ensure your security software is up-to-date. If you manage a network, be sure to have a solution in place that blocks malware at the Internetgateway. And dont rely strictly on technology to keep your system safe. Delete emails from strangersand dont click on strange links sent from those you dont know.

    About Trend Micro IncorporatedTrend Micro Incorporated is a pioneer in secure content and threat management. Founded in 1988,Trend Micro provides individuals and organizations of all sizes with award-winning security software,

    hardware and services. With headquarters in Tokyo and operations in more than 30 countries, TrendMicro solutions are sold through corporate and value-added resellers and service providers worldwide.For additional information and evaluation copies of Trend Micro products and services, visit our Website at www.trendmicro.com.