Targeted attacks - a sniper rifle, not a scattergun

Malware is often thought of as an equal opportunity nasty. After all, real viruses affect the rich and poor equally. However, things are not as they once were. In the heady days of Blaster and Slammer and Nimda et al, the malware would infect anyone that it could.

Worms are not often found these days (fingers and toes crossed) but Trojans that will add your machine to a BotNet are not so much common as ubiquitous. These are not at all targeted but once in a while, we see something a bit different.

A blackhat will pick a handful of important users in an organization and they will be targeted with malware. It might be done via an email with a document that exploits a vulnerability in Office or Adobe Reader or whatever document viewer is unlikely to have been patched – large organizations often take a little while to roll out updates and longer for third party products which don’t have an auto-update mechanism. It is quite likely to have content tailored to be of interest to the user – for example, if the sales manager of a PC company was being targeted, it would make sense for the mail to claim that the document is sales figures from a competitor.

That said, there is another, simpler way. Some blackhats have been known to send (via snail-mail) a USB key or a CD with the malware on it. Most non-technical staff (and managers are normally the targets) will put the CD in or USB key in their PC without question. One quick autorun later and that box is owned. However, the purpose here is not to make the machine a spambot but to install a quiet little backdoor that will allow someone to help himself to the contents of “My documents”. Typically, the backdoor software will allow access to a command shell and a simple file transfer mechanism. Sometimes the hacker gets lucky and finds that a senior manager has insisted that he should have a similar level of control over the network but that is a bonus.

Because these attacks affect very few users, they often slide under the radar, especially because most organizations would sooner not come out and say that they got hacked. Sometimes the backdoors are specifically created for that one target if it is high value enough and so AV solutions are not useful.

Given that, what are the best defenses? There are two:

1. User education. The information that executives hold is valuable. Someone needs to tell them how to protect it. Maybe that person should be you. Hey, it is something to put on your next review document.

2. Good network egress control. I speak to a lot of customers who regard any outgoing traffic (LAN/WAN to internet) as good and all unsolicited incoming traffic as bad. Now, consider that these are customers speaking to someone who specialized in compromised systems. Most malware can’t do much if it can’t call home. Good egress control is no substitute for good training but it is an excellent adjunct.

It is possible that an attacker could try the same thing anywhere in your organization since any access is better than none so you might want to spread the word to the whole company. It might save millions of dollars though you can never measure prevention. In the worst case, it is good and harmless. Please, spread the word.

Until next time, signing off