Targeted trojans proliferating

Mark Sunner, chief security analyst, MessageLabs --
As categories of malware go, targeted trojans occupy the sharp end of malicious activity.

The mainstream viruses we read about in the security press have no particular target in mind but are rather aimed at a blanket audience. However, lurking behind the scene are the targeted trojans -- victimizing a specific company or perhaps even a specific individual. Because their numbers are comparatively small, they tend to go largely unnoticed, but all the indications are that activity in this area is flourishing. Something that once only affected prominent Blue Chip companies is now moving into the mainstream – but many of us don't few even realize that such threats even exist.

At the end of 2005, Alex Shipp, MessageLabs senior anti-virus technologist, and his team of anti-virus researchers made a startling discovery following up a hunch that targeted trojan activity was actually far more common than was popularly believed or previously reported.

Sifting through the rafts of interception log data was a daunting task, but as November 2005 came to a close it began to look as though this perseverance was about to pay off. Blocking targeted malware was not the hard part --but figuring out that it existed at all was very difficult indeed.

Central to the challenge was the signal-to-noise ratio. The background noise created by the millions of other volume threats was very difficult to tune out to get a clear picture of what was really going on. What Alex and his team found was both fascinating and worrying:

For almost every week of that year to date either one or two targeted trojans were indeed being intercepted by MessageLabs anti-virus technology. In every instance, the targeted trojans were emanating from the same geographic source and heading toward the same target. But what was most troubling was the high level of sophistication combined with advanced social engineering tactics. Clearly somebody, somewhere really wanted in.

Now that Shipp and his team had devised a way of finding the “needle in a haystack,” monitoring the phenomenon became a core part of MessageLabs overall threat detection. By 2006, MessageLabs had honed its ability to monitor the faint signal of targeted interceptions, evolved it into a routine task, and was intercepting targeted attacks at an average of one per day with varying geographic sources, destinations and across industry sectors. The threat vector was experiencing exponential growth in every direction.

By early 2007, MessageLabs routinely intercepted approximately 10 targeted trojans each day. The threat profile was mixed, but China was the most common source and the Blue Chip industry sector a popular destination. While the problem was threatening, it seemed to be under control, but few could have predicted what happened next.

On June 26, 2007, at approximately 11 a.m. EST, MessageLabs intercepted a run of 514 targeted trojans over a two-hour period. Each instance referenced the email recipient by full name and job title and carried a Word document attachment, purporting to be either a customer complaint or a corporate financial penalty relative to the business in which the recipient was involved. The trojan was embedded inside the Word document and was capable of giving remote access to the victims’ PCs.

Overall, these Trojans we were similar to all previous interceptions, but the sheer volume of them was something that had never happened before. Instead of targeting a specific industry sector, these attacks targeted specific job titles -- C-level executives such as CFOs, CTOs and CEOs -- who would likely have access from their laptops to proprietary corporate information.

This first blast of targeted attacks was followed by a second blast of 1100 targeted trojans in September 2007 and again in November 2007 with 900 Trojans. Another more recent blast of 900 Trojans in February 2008 arrived with a twist, containing hyperlinks instead of an attachment. The links were self-contained search requests of the Better Business Bureau’s (BBB) actual Web site that when activated, would locate a BBB affiliate. It was the affiliate site that had actually been compromised and housed a re-direct to a third site where the new trojan was planted, disguised as an Adobe Acrobat update.

While all MessageLabs customers have been fully protected through every targeted attack run, it is becoming increasingly important that organizations understand the potential harm that can be done given this sharp increase in new levels of difficult-to-detect activity. Botnets, spam, phishing and spyware are high-volume attacks and can go relatively undetected on the security radar. Targeted attacks are stealthy and are beginning to make their mark on business. MessageLabs predicts there will be another large run before the end of March.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.