A recent compromise at a corporation led to a significant amount of data being stolen, underscoring that traditional software defenses are hard pressed to catch obfuscated attacks, security firm Finjan said in its monthly analysis of Internet threats.
In the report, dubbed the Malicious Page of the Month, the company claims that a desktop PC at an unnamed firm had been infected with a data-stealing Trojan horse. The attack succeeded because the firms antivirus software and static Web filters could not identify the scrambled attack code as a threat, Finjan stated in the report. The result: The malicious software downloaded code from a server in Utah and sent files and transcripts of a number of corporate users to a second server in Texas.
"Using the stolen data, they (the attackers) can now log into the e-mail account of the corporate employee, read his/her e-mails, reply on his/her behalf, and access other systems run by the company," Finjan said. "Needless to say, this is the ultimate nightmare of any executive, no matter if it is a public or private company."
Antivirus firms -- including Symantec, the owner of SecurityFocus -- have acknowledged that the dynamic obfuscation of attack code makes maintaining software defenses much more difficult. Last year, the total number of computer virus variants topped a half million, more than twice the year before, because online criminals use obfuscation techniques to turn a single virus into a multitude of attacks.
Finjan found that 80 percent of the code it has encountered on the Internet has been obfuscated to some degree.
"The use of dynamic code obfuscation keeps reaching new levels of attack sophistication and prevalence 'in the wild,'" Finjan wrote. "It has become the cyber crime weapon-of-choice due to its effectiveness in bypassing traditional signature-based solutions."
Finjan did not name the company nor the type of antivirus software the firm used. The criticism of static-URL and signature-based defenses is a common theme in Finjan's marketing.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos