, SecurityFocus 2005-06-22
Cyberattacks aiming to steal proprietary information have targeted companies and government agencies across the globe, including the U.S., security experts said this week.
On June 16, the United Kingdom's incident response team, the National Infrastructure Security Co-ordination Centre, warned that stealthy Trojan-horse attacks were targeting specific U.K. companies and government agencies. However, similar attacks aimed at other countries, including the United States, have been detected over the past year, according to security firms.
This week, security company Symantec sorted through low-volume e-mail threats submitted to its response team for analysis and found several that had targeted U.S. government agencies or had been submitted to Symantec from government sources in the United States. (Symantec is the parent company of SecurityFocus.)
"This appears to be a very specific virus writer targeting government agencies and, not as (other articles) suggested, targeting only U.K. government agencies," said Dave Cowings, senior business intelligence manager for Symantec.
Two programs that fit the profile--identified by Symantec as Trojan.Mdropper.B and Trojan.Riler.C--were among the threats warned about by the NISCC. The Trojan horse programs were attached as documents to e-mail messages. The documents had names that sounded military, including "Nuclear Weapons Technology Proliferation.doc." Others were more generic, such as "Notepad.exe" and "Code Password.doc."
"These are definitely virus attacks that attempt to sneak under the radar and are specifically targeted towards government agencies," Cowings said.
Targeted Trojan-horse attacks are a new trend in online threats. Previously, Trojan horses have been included in e-mail messages, multimedia files or popular programs, and their creators aimed to compromise as many computers as possible with the software. Stealthy Trojan attacks, signs of which have been detected for the last year, target specific firms to evade detection.
Last month, law enforcement agencies in Israel found that private detectives had allegedly used targeted Trojan-horse programs to steal information from their clients' competitors, according to press reports. The attacks went unnoticed for months because the attack tools used had been tailored for their task.
The latest attacks are targeted at only a few companies or government agencies at a time and show signs of significant background research into the target, said Mark Sunner, chief technology officer for e-mail security firm MessageLabs. While data on the attacks is scarce, with the company only detecting two attacks per week, they are a serious threat, he said.
"I think it would be very, very naive for any company to ignore these attacks," Sunner said. "The lack of instances makes this more insidious, because it's likely that that no one is detecting the attacks. People may only notice it months later--by then, it is too late."
While there is no evidence that the attacks have been successful, they pose a threat that challenges the current defenses erected by many organizations.
Symantec and MessageLabs were two of three companies from which SecurityFocus requested data about low-volume attacks. The third company, e-mail security provider Postini, said it didn't have the information readily available. All three companies have systems that scan e-mail for viruses and malicious programs.
The United States Computer Emergency Readiness Team, or US-CERT, has not released a statement on the NISCC advisory. Both the Australian and Canadian response organizations offered advice to companies to protect themselves. US-CERT did not respond to requests for comment from SecurityFocus.
The Computer Emergency Response Team (CERT) Coordination Center, which administers US-CERT, said their is no reason to question NISCC's data.
"This could likely be a new trend of attackers doing more targeted attacks," said Art Manion, Internet security analyst for the CERT/CC. "The social engineering aspects are definitely more likely to work."
Manion stressed that the CERT/CC does not speak for US-CERT, however.
The stealthy attacks have frequently been sent to a specific person at the targeted organization and show that attackers are researching the best way to convince the victim that the document containing the Trojan horse is real. Moreover, tradition e-mail-borne mass-mailing viruses typically have not stolen documents. Among viruses that included data stealing, such as the Sobig virus, the resulting data leakage was mostly random.
The latest threat aims at potentially high-value file types. One attack program, dubbed W32.MyFip, came out last August, remained off most radar screens because it did not propagate on its own, but had to be sent directly to targets, said Joe Stewart, senior researcher with security firm LURHQ.
The first version of the program, MyFip.A, stole PDF documents. The second version of the program broadened the types of files for which it searched to Word documents, CAD/CAM documents and Microsoft database files, according to an analysis done by LURHQ.
"It is hard to find how much that this is going on because it is targeted," Stewart said. "That is the problem with these things--you have to practice defense-in-depth to prevent them or you will be leaking intellectual property."
Both MyFip and the latest string of attacks discovered by MessageLabs and NISCC appear to come from China. While the NISCC stated that the last bounce of the attack came from the "Far East," MessageLabs confirmed that almost all the attacks it detected came from Chinese servers. LURHQ's analysis also discovered that MyFip was sent out using a spam tool common in China.
However, the evidence does not add up to an attacker based in China, stressed MessageLabs' Sunner. Many attackers might bounce messages from China or use a compromised server in China to attack targets on the opposite side of the globe, he said.
"It's nighttime in China when the attacks are happening in the U.K.--that brings the benefit of making it harder to get the site shut down," he said. "The Internet being what it is, there's not any guarantee that the attacker is in China."