Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Bakuei Matsukawa (Senior Threat Researcher)

    By now, most IT administrators are aware that their networks and systems may require defenses against targeted attacks carried out by well-equipped, knowledgeable attackers. As companies prepare their plans for the upcoming year, some may ask: how does one develop a strategy on how to help defend against these attacks?

    Earlier today, Japan’s Information Technology Promotion Agency (IPA) released a guide titled System Design Guide for Thwarting Targeted Email Attacks. The IPA is under the Ministry of Economy, Trade and Industry (METI) and is responsible for promoting information technology, including security best practices, in Japan.

    This multipage document provides administrators with an in-depth strategy for helping deal with these attacks. While implementation details are left to IT departments to consider, the document provides ten separate steps that administrators can consider to help secure their networks.

    In addition, the document does not just consider purely technical concerns: it is the work of malware analysts, security operations center (SOC) operators, researchers, forensics, penetration testers, operations managers, and crisis managers. This multidisciplinary approach ensures that all aspects of a potential attack can be recognized and the appropriate countermeasures and defenses put in place.

    One aspect of targeted attacks that is useful to understand is that the attackers have a clear goal in mind – i.e., to infiltrate the networks of the target and acquire information. By understanding their goals and their psychology, it becomes easier to understand the tactics of attackers. This makes it easier to defend or detect their attacks, as well as force attackers to make mistakes.

    Representing Trend Micro, I was part of the group that created this document; our expertise in malware, threat intelligence, and targeted attacks was useful in crafting effective techniques against these new threats.

    Many countries – including Japan – have had government agencies and companies within their borders face targeted attacks. The response to these attacks has frequently been full of difficulties and challenges, making the task of attackers easier. We believe that documents like this that allow organizations to respond in a reasoned, systematic manner are valuable in reducing the threat from targeted attacks.

    Posted in Targeted Attacks | Comments Off on Planning for 2014: A Guide To Targeted Attack Defense

    In the process of investigating and analyzing targeted attacks, we have seen that attacks which may not be related at first glance may in fact be linked; conversely attacks that may seem unrelated may turn out to be connected. Knowing which is which can provide useful information in determining how to respond to an attack.

    Why Are Separate Attacks “Related”?

    Before a cybercriminal or threat actor can launch an attack, many things have to be prepared in advance. The list of recipients have to be compiled, command-and-control (C&C) servers brought online, malware payloads chosen, etcetera. Ideally, attackers would use separate ones, but that isn’t the case: they are just as prone to reuse items or tactics that have worked before. Knowing these similarities between attacks can help determine what is an appropriate response.

    There are many ways that seemingly independent attacks can be correlated, but here are some of the most common ones:

    1. Same IP address sends different email messages
    2. Same email address sends different messages
    3. The same malware is attached to different messages
    4. Multiple (similar) backdoors use the same C&C server
    5. Different backdoor types use the same C&C server
    6. Multiple domains registered using the same email address
    7. Similarities in the way command-and-control network traffic is organized

    How can this information be used?

    Typically, organizations face two kinds of threats: highly sophisticated attacks that target them specifically, or more “random” attacks that are aimed at wider audiences. It can be difficult to tell just by examining the specifics of a particular attack which it is, but examination of the similarities above – using additional information provided by the Smart Protection Network – may be useful. It’s best to illustrate this with a hypothetical example.

    A company received an apparently targeted email that contained a malicious attachment. The malware installed tries to contact an external C&C server for instructions using HTTP. It would appear, at first, that this was a sophisticated targeted attack.

    However, more in-depth analysis would reveal that the malware only accessed two files on the C&C server: /kc1/data.bin and /kc1/gate.php. Accessing two files located in the same directory with the .BIN and .PHP extensions is common behavior by ZeuS/ZBOT variants. In addition, the domain of the C&C server was registered using an email address that was also used to register another domain on the well-known ZeuS Tracker blacklist. All this strongly suggests that it was not a sophisticated attack, but instead a more ordinary ZeuS/ZBOT infection. This can still pose a threat, but it’s a different nature compared to a sophisticated attack.

    This information can also be used to gauge the seriousness of an attack. For example, in October, we found a new Poison Ivy variant (BKDR_POISON.AB) had infected 15 different machines, belonging both to individuals and various organizations. What we also found was that there had been a similar attack earlier in the year which distributed a very similar Poison Ivy variant (BKDR_POISON.BJX). Similarities included the malware’s mutexes and the emails used to spread the attack.

    From there, one can conclude that both attacks were not meant to directly target anyone, but more to gather information across a wide number of possible targets that could be used for more direct attacks at a later time.

    The links between attacks can also be used to discover other potential attacks as well. For example, examining the email and IP addresses linked to domains used as C&C servers in a current attack can lead to other domains. The added information can be used as indicators for potential attacks that may not have been detected at the time.


    Gathering information about the connections between attacks can reveal much about the attacks in the first place. Organizations that use this kind of threat intelligence can use it to gain a more accurate picture of the attacks facing them. It can reveal that apparently unrelated attacks may turn out to be related, and have been launched by a single group of attackers. Alternately, it can make clear if an organization is under attack from multiple groups – which may or may not be working together. Whatever the case, this kind of information can be useful in creating a proportional response to threats.

    For more discussions on malicious network traffic, you can read our report titled Malicious Network Communications: What Are You Overlooking?.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Targeted Attacks | Comments Off on What Connections Between Attacks Say About Them


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice