Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Malware attacks that exploit vulnerabilities in popular software in order to compromise specific target sets are becoming increasingly commonplace.  Prior to the highly publicized Aurora attack on Google and at least 20 other companies, targeted malware attacks have been taking place and continue to affect government, military, corporate, educational, and civil society networks. While such attacks against the U.S. government and related networks are well-known, other governments and an increasing number of companies are facing similar threats.

    Earlier this year, the Canadian, South Korean, and French governments have all experienced serious security breaches into sensitive networks. Recently, the European Commission and the External Action Service were also compromised. There have also been acknowledged security breaches at security firms RSA and Comodo, which at least in the case of RSA, appear to be the result of targeted malware attacks.

    Technically sophisticated or simply well executed?

    Such attacks are almost always described as sophisticated or targeted, adjectives which have basically become synonymous with successful. The statements issued after breaches often suggest that attackers knew exactly what to exploit and, in some cases, exactly what they were looking for. It is difficult to assess such claims solely based on the murky details that publicly emerge. Therefore, I am not suggesting that such characterizations are necessarily incorrect. Rather, I am suggesting that the level of targeting and sophistication are results of prior knowledge gained by the attackers and not necessarily caused by some technical brilliance with regard to the tools and methods used.

    While most Internet users will never become victims of targeted attacks and are more likely to face common threats such as fake security software (FAKEAV) and banking Trojans (ZeuS, SpyEye), there continues to be a steady stream of malware samples linked to targeted attacks. However, the actual level of targeting considerably varies. Some malicious actors generate more “noise” than others. While they do send out malicious documents, often leveraging specific themes and issues for social engineering, they are received by a relatively large number of potential targets. They are certainly not targeted to the level of an individual or of even an organization. However, such attacks may simply be the precursor to much more specific, targeted attacks.

    Laying the groundwork

    A recent sample, which I received via, illustrates the level of reconnaissance that “noisy” attackers can generate. The malware sample was a .CHM file that exploits Microsoft HTML Help. The malware, detected by Trend Micro as CHM_CODEBASE.AG, drops BKDR_SALITY.A and proceeds to generate network traffic with well-known BKDR_SALITY.A servers.

    However, the malware made another set of network connections to win{BLOCKED} The Web page accessed on this server contains JavaScript code that uses the res:// protocol to enumerate the specific software on the compromised computer and submits the listing to win{BLOCKED} This method of using the res:// protocol to enumerate installed software was documented by Billy Rios in 2007. Rios explains that the res:// protocol, which was built into Internet Explorer since version 4.0, can be used to remotely detect specific software present on a computer by simply getting a user to visit a Web page from a browser. As Rios notes, this technique can be used to identify specific applications in order to select an appropriate exploit. It can also be used to detect the presence of specific drives. Years later, this technique is still effective.

    The script at win{BLOCKED} detects an extensive list of software:

    • Microsoft Office (Word and Outlook) from Windows 97 through to 2010
    • Adobe Reader (7.0 to 9.3)
    • Adobe Flash Player
    • Java
    • Instant-messaging programs (Skype, Yahoo! Messenger, MSN, Google Talk, and QQ)
    • Programming and graphics tools (Delphi, .net, Photoshop, and Dreamweaver)


    It also checks for file-sharing programs, Web browsers, remote administration tools, email clients, download managers, and media players. Security software are also detected, including major antivirus products and personal firewalls, as well as the PGP encryption software. In addition, it checks for virtual machine software and tries to detect if it is within VMware. Finally, it checks for Microsoft updates from KB842773 through to KB981793.

    This malware sample is admittedly odd because it conducts these checks after the user’s computer has already been compromised. If this were being used for profiling, wouldn’t it have been done before the attack? One possible explanation is that the attackers are deliberately sending out “noisy” attacks hoping that administrators would simply clean compromised systems and move on. However, by then, the attackers would have a profile of the machines in the organization that was compromised. They will know the preferred antivirus products, the specific versions of installed software, and other information that they can use to stage a targeted attack in the future. When the attackers are ready, they will stage an attack aimed at acquiring specific data. The attackers will know exactly what versions of what software to exploit in order to compromise the target. The attack will be characterized as sophisticated and targeted because prior information about the organization helped make it successful.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice