Malware attacks that exploit vulnerabilities in popular software in order to compromise specific target sets are becoming increasingly commonplace. Prior to the highly publicized “Aurora” attack on Google and at least twenty other companies, targeted malware attacks had been taking place and they continue to affect government, military, corporate, educational and civil society networks. While such attacks against the US government and related networks are well known, other governments and an increasing number of companies are facing similar threats.
Earlier this year, the Canadian, South Korean and French governments have all had serious security breaches to sensitive networks. Recently, the European Commission and the External Action Service were also compromised. There have also been acknowledged security breaches at the security firms RSA and Comodo which—at least in the case of RSA—appear to be the result of targeted malware attacks.
Technically sophisticated or simply well-executed?
Such attacks are almost always described as sophisticated or targeted, adjectives which have basically become synonymous with successful. The statements issued after breaches often suggest that attackers knew exactly what to exploit and, in some cases, exactly what they were looking for. It is difficult to assess such claims based solely on the murky details that emerge publicly. Therefore I am not suggesting that such characterizations are necessarily incorrect. Rather, I am suggesting that the level of targeting and sophistication are results of prior knowledge gained by the attackers and not necessarily caused by some technical brilliance in the tools and methods used.
While most Internet users will never be victims of targeted attacks and are more likely to face common threats such as fake security software (FAKEAV) and banking Trojans (Zeus, SpyEye), there continues to be a steady stream of malware samples that are linked to targeted attacks. However, the actual level of targeting varies considerably. There are some malicious actors that generate more “noise” than others. While they do send out malicious documents, often leveraging specific themes and issues for social engineering, they are received by a relatively large number of potential targets. They are certainly not targeted to the level of an individual or even an organization. However, such attacks may simply be the precursor to much more specific, targeted attacks.
Laying the groundwork
A recent sample, which I received via contagiodump.blogspot.com, illustrates the level of reconnaissance that “noisy” attackers can generate. The malware sample was a .CHM file that exploits Microsoft HTML Help. The malware, which is detected by Trend Micro as CHM_CODEBASE.AG, drops BKDR_SALITY.A and proceeds to generate network traffic with well-known BKDR_SALITY.A servers.
However, the malware made another set of network connections to win{BLOCKED}.dyndns.info. The Web page accessed on this server contains JavaScript code that uses the res:// protocol to enumerate the specific software on the compromised computer and submits the listing to win{BLOCKED}.dyndns.info. This method of using the res:// protocol to enumerate installed software was documented by Billy Rios in 2007. Rios explains that the res:// protocol, which was built into Internet Explorer since version 4.0, can be used to remotely detect specific software present on a computer by simply getting a user to visit a Web page from a browser. As Rios notes, this technique can be used to identify specific applications in order to select an appropriate exploit. It can also be used to detect the presence of specific drives. Years later, this technique is still effective.
The script at win{BLOCKED}.dyndns.info detects an extensive list of software:
- Microsoft Office (Word and Outlook) from Windows 97 through to 2010
- Adobe Reader (7.0 to 9.3)
- Adobe Flash
- Java
- Instant messaging programs (Skype, Yahoo! Messenger, MSN, Google Talk, and QQ)
- Programming and graphics tools (Delphi, .net, Photoshop and Dreamweaver)
It also checks for file sharing programs, Web browsers, remote administration tools, email clients, download managers and media players. Security software are also detected including major antivirus products and personal firewalls, as well as the PGP encryption software. In addition, it checks for virtual machine software and tries to detect if it is within VMware. Finally, it checks for Microsoft updates from KB842773 through to KB981793.
This malware sample is admittedly odd because it conducts these checks after the user’s computer is already compromised. If this were being used for profiling, wouldn’t it have been done before the attack? One possible explanation is that the attackers are deliberately sending out “noisy” attacks with the hopes that administrators would simply clean compromised systems and move on. However, by then the attackers would have a profile of the machines in an organization that was compromised. They will know the preferred antivirus products, the specific versions of installed software and other information they can use to stage a targeted attack in the future. When the attackers are ready, they will stage an attack aimed at acquiring specific data. The attackers will know exactly what versions of what software to exploit in order to compromise the target. The attack will be characterized as sophisticated and targeted because prior information about the organization has helped make the attack successful.
Post from: TrendLabs | Malware Blog – by Trend Micro
How Sophisticated are Targeted Malware Attacks?
