Schneier on Security
A blog covering security and security technology.
« Bioterrorism Defense in the U.S. |
| FixAVote.com »
October 17, 2006
Targeted Trojan Horses Are the Future of Malware
Security technology can stop common attacks, but targeted attacks fly under the radar. That's because traditional products, which scan e-mail at the network gateway or on the desktop, can't recognize the threat. Alarm bells will ring if a new attack targets thousands of people or more, but not if just a handful of e-mails laden with a new Trojan horse is sent.
"It is very much sweeping in under the radar," said Graham Cluley, a senior technology consultant at Sophos, a U.K.-based antivirus company. If it is a big attack, security companies would know something is up, because it hits their customers' systems and their own honeypots (traps set up to catch new and existing threats), he said.
Targeted attacks are, at most, a blip on the radar in the big scheme of security problems, researchers said. MessageLabs pulls about 3 million pieces of malicious software out of e-mail messages every day. Only seven of those can be classified as a targeted Trojan attack, said Alex Shipp, a senior antivirus technologist at the e-mail security company.
"A typical targeted attack will consist of between one and 10 similar e-mails directed at between one and three organizations," Shipp said. "By far the most common form of attack is to send just one e-mail to one organization."
Posted on October 17, 2006 at 7:04 AM
• 25 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Thank you very much for this useful information!!! To tell the truth I even haven't thought about such problems in the net!!! Now I'll be cautious!!! :)
Oddly I have just been posting about this sort of increase in "eCrime for profit" on another blog,
Basically ther is concern that mid level eCrime will not be investigated. There are a number of initiatives being proposed but they are unlikley to be of any real use.
Criminals are evolving, they are becoming aware of how to use the Internet and other technologies to their benifit.
And most importantly they are learning how to use security technology that is now fairly commonly avaialable to hide evidence and even meta-evidence. This is a real problem as most successfull convictions of crime and especialy of eCrime need reliable evidence to be presented so that a judge jury can actually understand it.
With fiscal cut backs all around what hope is there that these mid level crimes will be investigated. I suspect that they will not and criminals will recognise this and take advantage.
By which time the Police and other investigating organisations are very much playing the catch up game, with the criminals having the upper hand in choice of target and conceling mechanisum / technology.
I suspect that unless real proactive steps are taken this mid level crime will effectivly dissapear under the official radar in much the same way that ATM card skimming does currently.
Fundamental problem is the model of the internet. In the context we use here, default allow (email transmission for instance) is going to have to change to a trusted, authenticated model. As the article points out, it is too easy to defeat the big security scanners by simply customizing your attack vector.
There will be a great loss of unility of the internet, but eventually that cocst will be smaller than the cost of maintaining the open model...
When you read it a couple of paragraphs towards the bottom caught my eye,
"The motivation of the attackers is also topic of dispute. From his analysis, Shipp believes the intent is to steal information. "In other words, corporate espionage," he said.
But Symantec's Weafer isn't so sure. "Whether they are for hire, or whether they are simply trying stuff out is not clear," he said. "
How about they are getting into a territory whilst they can, that is they are being oportunistic before their zero day exploit becomes known.
Once in they can then find a buyer or wait for one to pop up.
After all a zero day exploit has a very limited shelf life, once you are in if you are carefull you stay in...
I consider targeted attacks a major problem and there is no obvious way to defend. Although "default deny" mentioned by DBH is generally a good idea, it is very hard to implement in real-world situation especially when you considered an already-established IT environment.
Bah! Email isn't for attachments. Nor is it for URLs.
Just ban all attachments and use mail readers that present everything in plain text.
Keep the data in the places meant for data and the executables in the places meant for such.
I may have my head in the clouds, but wouldn't an enforced use of digital signatures tighten things up in corporate environments? MUA, or even MTA, rules could ensure that you see only plain text unless the message has a verifiable and acceptable signature. All internal corporate users would already have internally managed certificates. Adding signatures for external senders to your acceptance list would be an overt act. Email is rendered harmless until you learn enough about handling it to safely deal with attachments. If you never bother to learn, you get only text, and that may be acceptable to many.
Sure, it's not water tight, and the structure can be attacked, but it's better than blindly accepting everything that appears on the network.
Sandboxing individual applications might be one way to deal with this. SuSE is working on something called AppArmor for this purpose, and another company called GreenBorder has a product out. (I'm sure AppArmor is legit, but I've never tested GreenBorder and I have some doubts about how effective it is.)
One legitimate complaint about sandboxing is that we tend to create applications that put lots of user-data inside the sandbox. For example, there are solutions that are really good at preventing malware from spreading outside of your browser, but if the browser has access to the corporate intranet and all of your saved passwords, does that even matter?
Note that we are still talking for the most part about securing individual components, the e-mail, the browser, etc... Once malicious code makes it outside those components, you are SOL.
And just how is this any different from what has been going on in the "real" world all along?
Think about how often the news mentions that a single home has been broken into as compared to reports that all the homes in a certain area are being broken into. Or that a single car has been vandalized as compared to all the cars in a neighbourhood.
Criminals who use their brains know not to attract undue attention to themselves. They know it is better to strike once or twice and then move on before the spotlights arrive...
It's a diff type of attack than what is usually in the news, but nothing new. Some foks use raw power or sheer luck to find a weak spot, while others seek a good opportunity.
Technically speaking, there was really just one actual trojan horse and it was probably considered the "future" of attacks as far back as 1100 years BCE. Once the Achaeans figured out that Troy would have to be taken by deception instead of sheer force...
"Fundamental problem is the model of the internet."
"Keep the data in the places meant for data and the executables in the places meant for such."
I agree with both these views and would like to throw in my ideas about the Internet and Operating Systems.
Here's an alternative model for the Internet:
A three tier network in which the top level permits global access, middle level permits national access and bottom level permits state/regional access.
Bottom level can route with Middle. Top level can route with Middle.
Network use of the bottom layer network would be pretty much as we know the Internet now i.e. unfettered.
Network use at the middle layer would be restricted to certain protcols/ports and require authentication to a national routing system as a condition to transmit traffic. I would expect different countries to allow different protocols/ports according to their preferences.
Network traffic at the top layer (global) would be limited to those ports/protocols common to other countries (middle layer networks) and require two-way authentication between targets and recipients.
The point of this is that port scanning and other naughty activity would be limited to a region/state and hence much easier to police. Limited national traffic would still be permitted as long as you authenticate your action with the national routing system to create a log of traffic between states/regions.
Each country would have the ability to limit the type of access they permit with other countries and anonymous, unsolicited traffic at global level would not be possible.
Yes, a pipe dream but does anybody have a better idea?
It seems to me our mainstream Operating Systems are bust; they are not really fit for purpose. In anticipation of all you Mac/Linux advocates who believe you have the answer, I say that if Linux or Apple Operating Systems become more popular then exploits for those systems will also become more common.
Just to make it worse, we have a monopoly by a company that does not appear to be interested in any serious engineering changes to their systems that might impair market share.
The OS is bust and I don't have an answer.
Thanks to those of you who read to the end of this post.
You may or may not like Microsoft, and I couldn't care less whether or not you do, but it's not topical to your proposed changes.
You could implement them at the application level (think custom NIC drivers or IP stacks ala common firewall software) or at a firewall/router/etc level.
By the way, I don't think your idea is the best one out there, but I do very much think that it is clever and could work if there was wide-spread buy-in.
The problem isn't the software, it's the users AND the software.
@Concerned: "Each country would have the ability to limit the type of access they permit with other countries [...]"
Congatulations, you have just reinvented the Great Chinese Firewall. Now, if only China would teach their firewall to stop outgoing spam I could teach my firewall to accept mail from China again...
"I say that if Linux or Apple Operating Systems become more popular then exploits for those systems will also become more common."
Apple and its closed source aside, I say your speculation is bullshit, IMO when it comes to Linux.
But that's all people can say about Linux when it comes to being negative compared to Windows, just a bunch of What If's rather than facts.
Security is in bad shape today because people trust a closed source solution which none of us civilians can legally audit the source code for so in reality, WinVista, WinXP, WinWhatever, if it's closed source and we cannot audit it for ourselves, M$ can say it's secure or Jesus Christ can say it grows new teeth, it doesn't matter what ANYONE SAYS, what matters is WHETHER OR NOT THE SOURCE CODE IS OPEN OR NOT.
That in this day and age people continue to trust closed source for security, THAT my friends, should be a crime.
Thanks for comments.
@God Loves Pizza
Regarding Linux, it's early days yet. Believe me I if I had to choose another OS for my government/corporate OS right now then it would probably be Linux (Centos and Debian are my current favourites) but Linux is not all roses and honey. For starters, the kernel is a monolithic design and I'm not sure how long that will how up in the long run. HURD looks like a better bet to me but seems to be going ... nowhere. SELinux looks like a good practical solution for now (Red Hat/Centos). I am blessed/cursed with working in a Defence and Contractor environment. The average security awareness in most private companies I have encountered is close to zero.
Sorry, but I don't believe that Linux is the complete answer and I am worried that the bad guys are winning.
Yes, of course you are correct that China/North Korea/Iran ... would limit access. Sorry but that is the way the world works my friend. The idea that we should drop our security in the name of the greater good doesn't really stand up when you are in real trouble (IMHO). Perhaps we should just accept that the Internet isn't going to solve all our problems.
Sorry to be so negative but that's my opinion :(
Great idea! Filter the internet! Because we all know China, North Korea, Iran, and all those other brilliant "Axis of Evil" nations suffer from far less electronic security problems than we do on the open net...
OK, perhaps that isn't fair. The system you're proposing is not just a firewall, so to equate it with existing implementations is apples and oranges I suppose. But, really, at some point, for all the fencing and blocking you can do to the "bad stuff", you are going to end up blocking far too much legitimate content in an attempt to block illegitimate content to make it feasible or even desirable. Further consider - who is going to fight harder to get the user to click that little "Accept this connection" button... the legitimate website, or the malware with potential to pay.
I'd prefer to to filter MY OWN information than have someone else do it for me. Or, at least determine how much filtering is done thereon. Norton is one thing. Websense is entirely another. (Though, I'm a completely converted Ubuntu GNU/Linux user, so I don't have to bother with either. Certainly, there is potential for me to download a damaging file but... I have to manually set said file to be executable, and even then, the damage is contained to my home directory, the rest of the system is untouched. Thanks for playing, try again real soon.)
>> Network traffic at the top layer (global) would be limited to those ports/protocols common to other countries (middle layer networks) and require two-way authentication between targets and recipients.
Well, for one thing, I do not see what limiting traffic to a nations/regions would buy. You may want to keep certain data transfers within one region of legislation, but I doubt that you can achieve that by filtering ports ...
And, if you want to allow some traffic between nations, then you don't need to port-scan outside the permitted range, but can assume that *those* ports that are still open are the interesting ones. Seems to significantly reduce the effort required to get good scanning coverage ... ;-)
OTOH: I hope that HTTPS is among the protocols supported between nations? Otherwise, international e-commerce will come to a halt. But give me HTTPS and I do not need any other port (given SSL tunnel endpoints in all relevant regions/nations). I do remember well reading the announcement made by Microsoft some 10 years ago, that they'd proceed to make all their application protocols work over port 80 (including e.g. Netmeeting, which according to MS was often blocked by incompetent firewall admins and thus did not work between Internet and corporate PCs). They explicitly mentioned SOAP and WebDAV, IIRC, and web services are clearly able to carry just about any application protocol ...
If you want to restrict/control data exchange and access, then do not use those innocent port numbers, which just happen to be default numbers assigned to services, and which could also be identifed by host names or at the application level, i.e. without the need for distinct ports on hosts).
"Basically ther is concern that mid level eCrime will not be investigated. There are a number of initiatives being proposed but they are unlikley to be of any real use."
Such has already been true for a long, long time. I can give you an example on this. My girlfriend was 'hacked' by a lawyer using a Win32 remote desktop-like trojan which was carefully hidden. By sheer luck (an application crashing, allowing her to see hidden files) she found this trojan out. The lawyer, as far as we know, has no criminal background or history of criminal behaviour. She contacted a local police department who said she should contact the Secret Service. SS didn't do anything unless damages were above 400K USD. She had the serial used by this specific trojan, but the corporation behind the trojan didn't want to give her the personal information on the serial issuer. The lawyer, who was operating for a former employee whom she was sueing, would have been disbarred but nobody was cooperating with us. This is about 3 years ago.
(Posted as AC for obvious reasons.)
As for unsecure OSes, neither MacOSX, Windows or Linux are based on capability-based security http://en.wikipedia.org/wiki/... -- I admit I don't know much about this theory. It may be worth to look into when comparing, though.
@God Loves Pizza
A simple question for you,
Do we know all the methods by which an attack might be launched against an IP based network connection?
The answer is fairly obviously no currently, so this means that all network connections are likley to be vulnerable to a new and currently unknown attack vector on IP.
Now ask the same question of higher level protocols etc.
Can we perhaps predict how some new attack vectors might work, the answer is yes to some only. Can we design a system to be secure against those, the answer is possibly, but the effort involved and the resources required might be prohibitive. For instance, when writing acceptable level software you find that about 20% does what the program is designed to do, 10% helps you find faults and the other 70% is split betwen dealing with data input errors and output data exception handaling. The more errors and exceptions you deal with the larger the resources required.
As for the rest the answer is still no. So you can see that no OS is going to be secure against all new attack vectors.
As for the known and predictable attack vectors you have some protection with methodical design, and some by chance, but no 100% systems (think OpenBSD etc).
However if you also include side channel attacks then no a unix like OS is most definatly not secure.
To really talk about is something secure you have to be able to very preciscly specify against what. Then you can test for it otherwise you are crossing your fingers and spitting into the wind.
Thanks for comment.
"Thanks for playing, try again real soon."
Well yes, why not - considering that my firewalll log tells me that lots of people from all over the world are trying to play games with me.
Open source and Linux will NOT be your security salvation, not by yourself.
There are two reasons Linux users have less security problems right now:
1. The population is small, so it's not as profitable a target.
2. The Linux systems tend to be run by more-clued users than the Windows systems.
If everyone uses Linux, both of these advantages go away.
``Open source and Linux will NOT be your security salvation, not by yourself.
There are two reasons Linux users have less security problems right now:''
Hmm, well, while it is true that a Linux virus could be spread by email, having an operating system that was designed to be multi-user and to not require administrative privileges to do most stuff would limit the damage it could do. Also, there's SELinux, with only a few analogs in the Wintel world.
Also, our document formats don't normally include the ability to execute arbitrary code, arbitrary scripts, and external programs. And the document formats are, well, documented, so the barrier to entry in inspecting them is much lower. Can YOU tell if a Word document contains hostile content? I can tell if a postscript file contains file-manipulation operations with nothing more than a look at it.
Fundamentally, when you buy into proprietary OSes and documents, you cede control to the vendor. You can't know it is secure, because it's cost-prohibitive to even inspect the smallest part of it.
The answer is easy: instead of trying to enumerate all the bad things, only allow what you know to be good. I don't use a browser to read email. If someone wants to communicate with me, they can send an email instead of a web page. While there may be attacks against the terminal drivers, I wager there's not very many of them. Default deny. Enumerate what the system can do, and don't allow for arbitrary expansion without a re-evaluation. ActiveX, flash, I'm talking to you.
Misuse detection is playing catch-up. Anomaly detection is the only sensible defense to one-off or custom attacks. The A/V companies of the world make a killing off of protecting against yesterday's malware, and selling subscriptions. If they offered an anomaly detection system, there's less need to become part of the stable revenue stream that subscriptions generate. Much like how the pharmaceutical companies are more interested in selling treatments than cures. It's all economics.
My anti-virus has stopped one incident in like... ten years. I don't think I'm going to renew.
All the replies to God Loves Pizza are the same, continued What If and imaginary speculation mode fantasy. How pathetic
Glad I use Linux and not some closed source piece of shit rob your soul satan spawn of a convicted monopoly
"Glad I use Linux and not some closed source piece of shit ..."
Pretty strong language there. Were you feeling a little emotional when you wrote that?
After a bit of reflection, I am willing to concede that Linux is (all considered) more secure than Windows, especially SELinux, but there is a lot more to it than simply choosing an OS. You can lock down Linux and lock down Windows. You might be surprised how tough Windows is when it's configured properly (essentially, this means disabling/removing unnecessary protocols and not using common MS software such as IE, Outlook). Every Windows user I know (other than my father who has been advised by me) uses an Admininstrator logon for browsing the Net on their home machine!
IMHO, the most important thing is to understand the technology and security issues associated with modern Operating system. The more you know, the more secure you will be. Open source or not.
On occasions, I have been lectured by UNIX admins about how much better UNIX is than Windows ... Upon further investigation, it transpired that their precious OS hadn't been patched in years or they were using easily accessible batch files with (plain text) passwords embedded or something else equally dumb. I am tired of listening to smug UNIX/Linux sysadmins who know nothing about contemporary security issues.
If you are a knowledgeable, experinced Linux user who has studied OS security pros and cons then picked Linux, well I salute you. If you haven't taken the time and trouble to swot up a bit before flaming this "pathetic" Windows user then please reconsider.
Knowledge is power; dogma is ignorance.
Hey. So, I heard you guys were talking about me, and I thought I'd chip in...
I'm a kernel. I'm not a full operating system. If you dispute that, try running me alone and see how useful I am.
Now, there are a lot of operating systems built with me as a part of them, and that's cool, but let's be real. How secure those operating systems are depends largely upon all the extra stuff in those systems.
How am I supposed to tell when something is a malicious RAT, and when it's just something you've put on your computer to make updating your cat blog from your smartphone easier?
For that matter, why do you even assume stuff like that is in my job description (it's not)?
Yeah, there are security measures in place in my part of the system. But even those depend largely upon configuration files. It's on you to make sure those files aren't screwing you over.
Malware gets written for systems running on me, and it gets deployed. The fact that people generally don't bother to write and deploy it shouldn't make you feel smugly superior.
At the end of the day, most of security comes down to you, and that's just how it is. You can't just choose an O/S and think "Good. Job done. On to the next thing...". If you install a browser that routes all your traffic through a malicious server, that ain't my problem, because how am I supposed to know you don't own that server? See, it's stuff like that.
Stop praising me because you have managed to stumble through computer use without hurting yourself, and, by the same token, don't blame me if the stumbling doesn't work out for you.
Your best defense against the hordes of ./hack jackasses isn't me, it's you. What you know is what helps you most. Be informed.
...Now, if you'll excuse me, bob has requested a file, and I'll be damned if I don't serve it to him.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.