Trusteer CEO warns over highly targeted malware attacks

Last week, says Mickey Boodaei, Trusteer's CEO, his research team saw two instances of this type of attack.

The problem is, he adds, that those enterprises that spot this type of attack fail to understand the implications and simply disinfect the user's machine, and then move on.

In one example of a targeted attack - which Boodaei calls VIGNS: Vanity Infection from Google News Searches - he says that the infection is designed to place under-the-radar malware on a computer owned by an executive who has access to sensitive corporate information.

"The attack process, as with any targeted attack, starts with some form of reconnaissance: The attacker searches the business social networking site LinkedIn for executives at the targeted organisation", he says in his security blog.

The Trusteer CEO says LinkedIn is the perfect tool for this type of reconnaissance, as users can easily find victims by searching for the company name and the role they are after.

All that then needs to be done in order to take it to the next level is the name of the victim, he notes.

"Next, the attacker needs to build a web page that infects its visitors. It does not matter where this page is placed - criminals, we have observed, have access to a large number of compromised servers and they are likely to place this page on any one of these servers", he says.

"The page itself exploits a zero day or a recently discovered browser or browser add-on vulnerability. The recently announced Adobe vulnerabilities are a perfect example and can be easily used to achieve this goal", he adds.

Because many people tend to have a Google alert set up to flag up pages that have their own name listed, Boodaei argues that cybercriminals can create an infected web page that also includes the executive's name, and let Google's news alert service do the rest.

But here's where it gets interesting, as he adds that Trusteer's researchers have discovered a number of ways that can be used to enable this attack to fly under the radar of IT security software.

"The first method is not to post the exploit on the webpage until after Google's indexing systems have visited the page in question. This will minimise the timeframe that the exploit is active and can be detected", he says.

"The second method is to take the webpage off immediately after the malware reports back that it gained access to the executive's computer. The malware can easily know where it has landed by looking at information such as the email account on the computer. This approach also minimises the time of exposure for the malicious webpage", he adds.

And cybercriminals, he goes on to say, can also use popular malware toolkits like Zeus or SpyEye, but limit its distribution to the web page that they want to target the specific user with.

This will, says Boodaei, keep anti-virus solutions from classifying this threat, adding that the malware can automatically remove itself if it reaches the wrong PC, by looking at simple parameters such as the email account configured on the computer.

Conventional IT security does not prevent these targeted attacks, but the Trusteer CEO says that a specialist security package can be used to stop the attack taking place - even if the computer is infected - by analysing if unknown software is trying to access sensitive information.

"The methodology I have presented above is just one in a series of sophisticated, targeted attacks we expect will be launched against organisations in the near future", he said.

"We strongly recommend that organisations re-evaluate their approach to targeted attacks since they represent, as we witnessed with various incidents in the press, the most dangerous type of threat to their business", he added.

What’s Hot on Infosecurity Magazine?