Most of the things our industry has learned about targeted attacks were realized the hard way: through analysis of successful attacks. Our realizations have so far revealed just how unfamiliar we are with the “battle ground” we are currently in, and how that unfamiliarity has caused the industry to be unable to understand what is needed to deal with such attacks. But why is this so? Do the attackers really have the upper hand? The answer, unfortunately, is yes.

Unfair Advantage

To put it simply, attackers have a greater level of control and a wider range of resources. They get to decide on the very nature of the threat — how and when the attack will play out. They can employ the use of the numerous tools available on the Internet, including legitimate services. More importantly, they can get intelligence on what they are up against – they can do research on the target and find information that can make infiltration easy and almost undetectable.

And while attackers are able to utilize such flexibility, targets, on the other hand, are faced with multiple limitations that even by themselves are already difficult to manage. With the dawn of consumerization and rise of mobile computing, it is already a big struggle for companies to identify their own network, even more so to protect it. They can only do so within the limitations of available strategies, whatever control they have over the network, and the awareness of their people.

Read the rest of this entry »

In our Security Predictions for this year, Trend Micro CTO Raimund Genes predicted that the evolution of conventional malware will only gradually evolve. Instead of distributing new threats, malware authors will focus more on refining tools and how these attacks are conducted.

In particular, we will be seeing certain developments in their stealth tactics to avoid efforts done by security researchers and vendors. The perfect example of these developments is the release of Blackhole Exploit Kit (BHEK) 2.0, which was a direct response to successful efforts to block previous BHEK versions.

These past days, we were alerted to the following string of incidents, in which old malware variants and threats incorporate certain tricks in an attempt to prevent detection.

• Certain versions of Kelihos (detected as BKDR_KELIHOS.NAP) recently surfaced in the wild. Reports indicate that this Kelihos variant initiates a SleepEx function. With this sleep function, the malware becomes inactive during a particular time frame, which in effect can prevent automated detection to capture its malicious routines. Both Kelihos and extended sleep calls routines are not new in the threat landscape, however, when combined can be a potent threat that users should be wary of.

Read the rest of this entry »