It is well known that when a new class of virus appears
there is a time gap between it being planted, discovered and
protection becoming available.
But now we are seeing viruses that may never be detected. Even
worse, the malware is not designed to disrupt the system it is
planted on but to bleed out information.
Mikko Hyppönen, chief research officer at security firm
F-Secure, sees it as part of a move away from amateur hackers to a
cooler, more cynical phase in the development of malware. Over the
past six months he has worked on eight cases where professional
attacks have been targeted at specific companies.
“These hackers work professionally and have obviously done their
research before starting the attacks,” he says.
“They send the malware as an attachment in an e-mail spoofed to
look like an internal e-mail coming from a real colleague with an
address that actually exists within the company. The e-mail message
is even written in the local language, and the attachment, which is
actually malware, is disguised as something innocent, like a Word
document. When opened, it even looks like an internal document with
company headers and footers.”
Hyppönen says such attacks could not easily be pulled off by a
teenage hacker. “It is much more professional. These guys know
exactly what they are up against. They know beforehand what kinds
of protection are in place and which anti-virus is being used.
Before the attack, they even check if the anti-virus will be able
to stop the malware they are using. If it is detected, they will
keep modifying until they succeed.”
These stealth attacks are extremely difficult to discover and
the extent of their use is hard to ascertain as only a few cases
have been disclosed.
In June 2005, the UK’s National Infrastructure Security
Co-ordination Centre (NISCC) issued a warning that the critical
national infrastructure was being hit by targeted attacks. Security
firm Symantec reported similar attacks against US government
departments.
Once installed on a user’s machine, Trojans can obtain
passwords, scan networks, illegally export information and launch
further attacks. The NISCC warned that anti-virus software and
firewalls did not give complete protection as Trojans could
communicate with the attackers using common ports (HTTP, DNS, SSL)
and could be modified to avoid detection.
One of the reasons there is no real protection is because of the
way viruses are found. Virus researchers use several methods to
collect malware, including honeypots to attract malicious e-mails
and samples provided by victims of an attack.
The basic flaw is that as the long tail of distribution peters
out, the less likely it is that anti-virus firms will provide
protection. Targeted e-mails may be sent to only one person, or a
score at most, so they lie at the thin end of the tail. And because
they are carefully designed to avoid detection by even the most
sophisticated heuristic analysis engines, they remain undiscovered
for long periods of time. Like designer clothes, designer Trojans
are produced in limited numbers, go out of fashion quickly and, to
the targeted company, prove very costly.
The attacks are often fine-tuned to target specific job roles,
such as directors, or desktops running particular applications. One
attack on an aerospace company hit only workstations running
computer aided design software.
The new threats are believed to stem from the confluence of hacker
and criminal organisations, although in one case in Israel it was
proved to be one company trying to steal information from
rivals.
David Emm, senior technology consultant at Kaspersky Labs, says
the subtlety of the attacks requires a stronger defence and a
review of disclosure practices. “A security agency working with the
police on the Israeli case asked them not to pass the code on but,
once the investigation was over, the code was published. If the
code breaks new ground in the method it uses, the last thing we
want to be doing is giving other people further ideas.”
Bruce Schneier, founder and CTO of Counterpane Internet
Security, addressed the subject of the new-style hacker at the Hack
In The Box Security conference in Malaysia recently. He said that
hacking now posed an even greater threat to business because
whereas the hobbyist is interested in street cred, the criminal
wants a financial result.
Schneier said the answer was to look at the problem from a
different angle. “The security industry must look beyond purely
technical measures. Look for the economic levers. If you get the
economic levers right, the technology will work. If you get the
economics wrong, the technology will never work.”
His view is echoed by David Lacey, former chief security officer
at Royal Mail and founder member of security user group the Jericho
Forum. “The tools we have are crude but improving and the best
defence against targeted attacks is to take a more behavioural
approach,” he says. “Recipients cannot rely on content being benign
and should treat all attachments with suspicion, but the real move
is away from recognised signatures to watching for the
exploitational potential.”
This change in thinking and the difficulty of protecting against
Trojan horses in e-mails is making the behavioural defence more
attractive. Rather than concentrating on stopping incoming threats,
companies look at what is happening on their networks and try to
discover anomalies in behaviour – high levels of e-mail activity,
large movements of data, and packet inspection to see if data is
being bled in small broadcasts to unrecognised IP addresses.
Analyst firm Gartner has been looking at the methods used by
host-based intrusion prevention systems. These range from system
lockdowns to traditional firewall and anti-virus protection
systems.
Jay Heiser, research vice-president at Gartner, says, “Security
is still down to good hygiene and carefully managed information
security that is effective against entire classes of threats.
Various forms of host attack prevention systems still have a lot of
potential for protecting code that is not addressed by anti-virus
software. But the main message remains: if you don’t recognise it,
don’t let it run.”
Heiser says the right balance will vary from company to company.
“Multiple methods of host protection used simultaneously work best.
The challenge will be to find the sweet spot by getting the tuning
right, so we can do our work at an optimum level with minimum
risk.”
The array of defence tools is expanding. Proactive systems such
as application throttling offer promise but minimise rather than
prevent leaks. They can also slow down the network in areas where a
suspect application is found. These systems were developed in a
world free from targeted attacks, where the scattergun
inconvenience of malevolent applications often meant that critical
systems were not affected.
Group IT manager Paul Brown is responsible for security at
recruitment firm Reed Health, which holds private data on job
seekers and employers. He uses a Network Box security appliance
that incorporates firewall, intrusion detection and prevention,
anti-virus, anti-spam, virtual private networking and content
filtering.
“You cannot just rely on a firewall to say that one incoming
message is dangerous but another is a straight text file so that is
OK,” he explains. “You have got to have multiple levels of checking
anything that comes in and be absolutely up to date with your
anti-virus and patching.”
Today, the Trojan that will be shut down is likely to be in a
mission-critical system and slowing it down will slow the company
down. Although throttling software may be useful in some areas, it
will not be in others. It is a case of finding the right course for
the right horse.
Graham Titterington, principal analyst at Ovum, says, “The
methods of protection that we have put in place over the past 10
years or so are perhaps reaching the end of their useful life. They
do not protect you against all the nasties out there.”
He expects suppliers eventually to develop strategies to tackle
new phenomena such as targeted threats. “Eventually, today’s
malware protection products will be superseded by stronger
solutions tied more tightly into the operating system,” he
says.
www.niscc.gov.uk/niscc/docs/ttea.pdf
Comment on this article:
computer.weekly@rbi.co.uk