Targeted Attacks on the Rise

Most attacks target a single user, report says



It's the other end of the threat spectrum: Instead of a massive attack on hundreds of your users, it's one message, sent to a single user, containing a backdoor Trojan -- or worse.

Such narrowly-targeted attacks are becoming more popular than ever, according to a new report issued today by MessageLabs. The messaging security company says it identified 716 emails in 249 targeted attacks last month. The attacks targeted 263 different domains, belonging to 216 different customers.

Most of the email attacks came in the form of malware hidden in a Microsoft Office document. Some 45 percent of the attachments were PowerPoint; 35 percent were MS Word files. Only 15 percent were .exe files, according to MessageLabs.

Nearly 180 of the 249 attacks were sent to a single individual in the company via a single message, MessageLabs said. Fewer than 20 of the attacks identified as "targeted" were sent to more than 10 people in a company.

The number of targeted attacks has grown since 2006, but that may simply reflect the fact that vendors are becoming more adept at identifying them, MessageLabs said. "Previously, they may have been lost in the general noise of one to two million pieces of malware per day," the report states.

There doesn't appear to be any pattern to the types of companies that are targeted for attack, MessageLabs found. Military organizations were among the most targeted, followed by electronics, aviation, and retail. "Target organizations are those with data worth stealing," the report says.

Many of the targeted attacks come from a single gang in Taiwan, MessageLabs says. "One gang has been using the same two attack files since November 2006," the report says. "In the month of March, they used these files 151 times, which makes them one of the highest-profile gangs, accounting for just over 20 percent of all targeted emails."

The Taiwan gang changes its source IP address frequently, making it hard to detect, MessageLabs says. It loads an index.exe file on the victim's machine, usually from an Apache Tomcat/4.1.24 server. The IP address hosting the Web server that dishes out the malware is registered to China United Telecommunications Corp. in Beijing.

Emails from the Taiwan gang are not particularly attractive, generally showing only a string of unreadable characters and carrying attachments. "We are not sure what bugs these files exploit," MessageLabs says. "It may be a PowerPoint record length exploit, but there are several other areas of interest in the files which may be the trigger." Microsoft is currently investigating the exploit, MessageLabs says.

The attachments carry malware, according to MessageLabs. "A cursory investigation of the shellcode implies that the code downloads and executes a file.index.exe," the company says. "This is a back door Trojan which gives the attacker control of the PC." Many antivirus applications do not yet detect the Trojan, according to the messaging security company.

The inability of antivirus applications to recognize the targeted attacks from Taiwan may be a reason why gangs such as the one in Taiwan use the same exploit over and over, MessageLabs says. When such files are detected, attackers are usually forced to change their approach vector, the company notes.

— Tim Wilson, Site Editor, Dark Reading

  • MessageLabs Ltd.
  • Microsoft Corp. (Nasdaq: MSFT) Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Copyright © 2020 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service