The 2006 Virus Bulletin Conference is currently taking place in Montreal, and some interesting trends are emerging from the various security vendors speaking at the event. Trends such as the way that the widely distributed attack using worms, viruses and Trojans are increasingly becoming a decreasing concern. At least once you move outside of the strictly consumer realm. For the corporate user it is the highly targeted, tightly focused, small scale Trojan attack that is causing the biggest headache.
Note that what we are talking about here is concern, not risk. The widely distributed, multi-million spam delivered malware threat has not gone away, and it poses as great a risk as ever. But what the likes of Symantec are saying at the conference is that business is recognizing the danger of the targeted Trojan, despite them only being but a blip on the overall threat landscape radar, because they are the attacks most likely to achieve the double damage whammy of slipping under that radar and doing the most corporate damage.
The kind of attacks they are talking about at Virus Bulletin Conference 2006 are the likes of keyloggers and screen-scrapers, using highly focused emails to just one or two well researched addresses at the target business. By concentrating on a single victim or two like this, the normal detection systems sound no bells because no attack pattern is detected: it’s just another email. By concentrating on a single victim or two like this, the message can be much more likely to succeed in getting the recipient to click the link because that link will have been tailored to press the right buttons in the reader.
Of course, it does all rather depend on the state of the overall security within that business because most of these attacks are still reliant on unpatched systems to enable vulnerabilities to be exploited and payloads dropped.
To give you an idea of just how small scale we are talking here, of the 3 million bits of malware extracted from email by MessageLabs every single day, only 7 will be a targeted Trojan. That’s worth repeating, only 7 out of 3 million. Yet the consequences of getting hit by the miniscule percentage risk can be hugely costly, because the target is more often than not information.
This is the future of industrial espionage and it is happening right now.
In the MessageLabs presentation at Virus Bulletin Conference, the sophistication of some of these attacks was revealed: how whole email threads from a business partner can be intercepted and the attack email constructed around referenced content from within that thread. By including a link to a zero day exploit infected MS Office document, gateway security, signature based security can all be sidestepped.
I’m not sure I’d go so far as to agree with MessageLabs that any company with valuable intellectual property that doesn’t know for sure if they have been targeted is already a victim. But the problem is very real, and very difficult to deal with. Heuristics based pattern detection blocking systems are being developed by most of the major security vendors, but the nature of these attacks makes them hard to detect even then.
No wonder the corporate concern over these attacks is growing...