From 1992 to 2007, there were about two million unique malware programs. In 2008, there were over 14 million new malicious samples. By the end of the first quarter of 2010, Kaspersky Lab had a total of 36.2 million unique malicious files in its collection.
This is according to Stefan Tanase, senior security researcher, global research and analysis team, at Kaspersky Lab.
Attacks are now motivated by money, instead of mischief, he explained.
There are three ways of stealing. “Firstly, it can be done directly from the user. Getting his online banking accounts, credit card numbers, electronic money and, of course, blackmail. Even those who don't have money are targeted, as often they are even more valuable as their resources can be used to create botnets, send spam, launch denial-of-service attacks, pay-per-click fraud, collect passwords and suchlike.”
Ultimately, cyber criminals are after sensitive information, such as source codes, future product information, third-party data, credentials for production systems, executives' e-mails and customer information, he noted.
This is where the targeted attack comes in. Tanase cited Google's recent exit from the Chinese market, following a sophisticated attack on its office that resulted in the theft of intellectual property. The interesting fact here was that more than a week passed from when the vulnerability was made public, to when Microsoft patched the vulnerability, he pointed out.
“Cyber criminals only need a vulnerability that has a window of one hour. There are plenty of vulnerabilities out there, more than 5 000 per year.”
He said targeted attacks work differently; they are not epidemics. “One e-mail is enough, the cyber criminals don't need to send tens of thousands. Tracking these attacks is also difficult as targeted companies are seldom eager to share the attacks and details, making it hard to get samples for analysis. These attacks stay under the radar.”
In addition, classic signature-based anti-virus solutions are useless in these situations. The stakes are much higher too, as the outcome of a successful attack could mean intellectual property theft, and corporate espionage.
How it's done
According to Tanase, these attacks happen in four steps. “Firstly, profiling the employees and choosing the most vulnerable targets. Reconnaissance is done via social networks, mailing list posts and public presentations. Attackers usually target users in their own country because of the language barrier, and they are most comfortable in their own language.”
The second step, he said, is to develop a new and unique malware attack. “It doesn't need to bypass all anti-virus, only the one the potential victim is using. The next step is using social engineering to get the victim to click on a link.”
The third step is gaining control and maintaining access. “The initial exploit drops malware onto the victim's machine, as networks are usually protected from outside threats. Command and control communications are done using encryption, which is particularly dangerous as the traffic is encrypted and cannot be detected.”
Finally, it's about getting the good stuff out. “Cyber criminals will then find an overseas office server to be used as an internal drop. Speed is key here. Data is then moved over the corporate WAN or intranet to the internal drop. All data is then removed at one time to the external drop server, as even if traffic is monitored, it might be too late to react.”
Don't share
Targeted attacks are becoming mainstream, he said, because people are sharing so much personal information over the Internet these days. “If advertisers are already using this information, believe me, cyber criminals are doing the same.
“A highly-sophisticated targeted attack will eventually succeed. It is really hard to protect against this. It happened to Google, so it could happen to anyone.”
A proper security mindset is needed, as there is a lack of user education and awareness. “Training and policies are needed - a basic understanding is not enough. Employees should have some sort of reporting process, and should report attempted attacks. Companies should then have a follow-up procedure, and a round the clock security team to deal with these.”
There are also technical means to minimise these attacks, he added. “Reduce the attack surface by having fewer third-party plug-ins such as Flash, Acrobat and Java. Use alternative browsers and frequently patch and update. Proactive technologies can also provide the necessary edge for remaining secure, such as Kaspersky's Sandbox technology, a virtualised execution for applications. Host-base intrusion prevention systems, which use behavioural analysis, can also be of help.”
Share