It is well known that when a new class of virus appears there is a time gap between it being planted, discovered and protection becoming available.
But now we are seeing viruses that may never be detected. Even worse, the malware is not designed to disrupt the system it is planted on but to bleed out information.
Mikko Hyppönen, chief research officer at security firm F-Secure, sees it as part of a move away from amateur hackers to a cooler, more cynical phase in the development of malware. Over the past six months he has worked on eight cases where professional attacks have been targeted at specific companies.
“These hackers work professionally and have obviously done their research before starting the attacks,” he says.
“They send the malware as an attachment in an e-mail spoofed to look like an internal e-mail coming from a real colleague with an address that actually exists within the company. The e-mail message is even written in the local language, and the attachment, which is actually malware, is disguised as something innocent, like a Word document. When opened, it even looks like an internal document with company headers and footers.”
Hyppönen says such attacks could not easily be pulled off by a teenage hacker. “It is much more professional. These guys know exactly what they are up against. They know beforehand what kinds of protection are in place and which anti-virus is being used. Before the attack, they even check if the anti-virus will be able to stop the malware they are using. If it is detected, they will keep modifying until they succeed.”
These stealth attacks are extremely difficult to discover and the extent of their use is hard to ascertain as only a few cases have been disclosed.
In June 2005, the UK’s National Infrastructure Security Co-ordination Centre (NISCC) issued a warning that the critical national infrastructure was being hit by targeted attacks. Security firm Symantec reported similar attacks against US government departments.
Once installed on a user’s machine, Trojans can obtain passwords, scan networks, illegally export information and launch further attacks. The NISCC warned that anti-virus software and firewalls did not give complete protection as Trojans could communicate with the attackers using common ports (HTTP, DNS, SSL) and could be modified to avoid detection.
One of the reasons there is no real protection is because of the way viruses are found. Virus researchers use several methods to collect malware, including honeypots to attract malicious e-mails and samples provided by victims of an attack.
The basic flaw is that as the long tail of distribution peters out, the less likely it is that anti-virus firms will provide protection. Targeted e-mails may be sent to only one person, or a score at most, so they lie at the thin end of the tail. And because they are carefully designed to avoid detection by even the most sophisticated heuristic analysis engines, they remain undiscovered for long periods of time. Like designer clothes, designer Trojans are produced in limited numbers, go out of fashion quickly and, to the targeted company, prove very costly.
The attacks are often fine-tuned to target specific job roles, such as directors, or desktops running particular applications. One attack on an aerospace company hit only workstations running computer aided design software.
The new threats are believed to stem from the confluence of hacker and criminal organisations, although in one case in Israel it was proved to be one company trying to steal information from rivals.
David Emm, senior technology consultant at Kaspersky Labs, says the subtlety of the attacks requires a stronger defence and a review of disclosure practices. “A security agency working with the police on the Israeli case asked them not to pass the code on but, once the investigation was over, the code was published. If the code breaks new ground in the method it uses, the last thing we want to be doing is giving other people further ideas.”
Bruce Schneier, founder and CTO of Counterpane Internet Security, addressed the subject of the new-style hacker at the Hack In The Box Security conference in Malaysia recently. He said that hacking now posed an even greater threat to business because whereas the hobbyist is interested in street cred, the criminal wants a financial result.
Schneier said the answer was to look at the problem from a different angle. “The security industry must look beyond purely technical measures. Look for the economic levers. If you get the economic levers right, the technology will work. If you get the economics wrong, the technology will never work.”
His view is echoed by David Lacey, former chief security officer at Royal Mail and founder member of security user group the Jericho Forum. “The tools we have are crude but improving and the best defence against targeted attacks is to take a more behavioural approach,” he says. “Recipients cannot rely on content being benign and should treat all attachments with suspicion, but the real move is away from recognised signatures to watching for the exploitational potential.”
This change in thinking and the difficulty of protecting against Trojan horses in e-mails is making the behavioural defence more attractive. Rather than concentrating on stopping incoming threats, companies look at what is happening on their networks and try to discover anomalies in behaviour – high levels of e-mail activity, large movements of data, and packet inspection to see if data is being bled in small broadcasts to unrecognised IP addresses.
Analyst firm Gartner has been looking at the methods used by host-based intrusion prevention systems. These range from system lockdowns to traditional firewall and anti-virus protection systems.
Jay Heiser, research vice-president at Gartner, says, “Security is still down to good hygiene and carefully managed information security that is effective against entire classes of threats. Various forms of host attack prevention systems still have a lot of potential for protecting code that is not addressed by anti-virus software. But the main message remains: if you don’t recognise it, don’t let it run.”
Heiser says the right balance will vary from company to company. “Multiple methods of host protection used simultaneously work best. The challenge will be to find the sweet spot by getting the tuning right, so we can do our work at an optimum level with minimum risk.”
The array of defence tools is expanding. Proactive systems such as application throttling offer promise but minimise rather than prevent leaks. They can also slow down the network in areas where a suspect application is found. These systems were developed in a world free from targeted attacks, where the scattergun inconvenience of malevolent applications often meant that critical systems were not affected.
Group IT manager Paul Brown is responsible for security at recruitment firm Reed Health, which holds private data on job seekers and employers. He uses a Network Box security appliance that incorporates firewall, intrusion detection and prevention, anti-virus, anti-spam, virtual private networking and content filtering.
“You cannot just rely on a firewall to say that one incoming message is dangerous but another is a straight text file so that is OK,” he explains. “You have got to have multiple levels of checking anything that comes in and be absolutely up to date with your anti-virus and patching.”
Today, the Trojan that will be shut down is likely to be in a mission-critical system and slowing it down will slow the company down. Although throttling software may be useful in some areas, it will not be in others. It is a case of finding the right course for the right horse.
Graham Titterington, principal analyst at Ovum, says, “The methods of protection that we have put in place over the past 10 years or so are perhaps reaching the end of their useful life. They do not protect you against all the nasties out there.”
He expects suppliers eventually to develop strategies to tackle new phenomena such as targeted threats. “Eventually, today’s malware protection products will be superseded by stronger solutions tied more tightly into the operating system,” he says.
Comment on this article: [email protected]