|  |
More Targeted Trojan Attacks Detected as Trend for Industrial Espionage Continues
MessageLabs, the leading provider of email security and management services to businesses, recently intercepted some more malware attacks that appear to be an attempt to gain unauthorised access to a network of specifically targeted domains.
1) 'Troj/Delf.ZN'
This email-borne Trojan attack followed a similar profile to attempts previously encountered by MessageLabs, whereby only a small number of mails (17 copies in this case) containing the malicious software were transmitted to a highly targeted list of recipients at only four domains.
The majority of the emails were bound for addresses at one particular international organisation that operates in the global security arena. This is the second time that MessageLabs has intercepted attacks aimed at this organisation over the last month.
Utilising text content potentially relevant to the target audience, the email encouraged the intended recipients to open an attached word document claiming to provide further information. This word document contained an embedded UPX packed Trojan that compresses the EXE. file size in order to make it difficult for anti-virus software to detect. The attack exploits a vulnerability in Microsoft Word caused by a buffer overflow when handling macro names. The Word document containing a long macro name, which overflows a buffer allowing the embedded trojan to execute (see Microsoft Security Bulletin MS03-050).
Mark Sunner, Chief Technology Officer at MessageLabs: "Some content based filters may be able to recognise a malformed macro name or a similar exploit condition within such a document, and therefore remove the macro (and 'defang' the exploit); however, there are some buffer overflow exploits found in similar Word documents (such as a VBE exploit - http://www.eeye.com/html/Research/Advisories/AD20030903-2.html) that cannot be safely removed, which is why it's always more effective to dump the entire document. By just removing the exploit, it can still leave the embedded malware present in the document."
Email characteristics:
Subject lines: FW : 0627
Body Text:
THE TIMES OF INDIA
Monday, June 27, 2005
China's new JL-2 missile prevents US from the Taiwan affairs
China has successfully flight-tested a submarine-launched missile that U.S. officials say marks a major advance in Beijing's long-range nuclear program. The Bush administration has expressed new worries about China's military buildup.
The JL-2 missile was launched from the new submarine, known as the Type 094, said a U.S. official familiar with it.
(Details in the attachment)
2) 'Backdoor.Win32.Dumador.cy'
Also MessageLabs detected 947 copies of a FSG packed information stealing Trojan until morning of June 28th. The Trojan is 21008 bytes in size and has an MD5 of d6784ef4d6d8e180f5aa26873411c703 (packed). On execution the Trojan installs itself to the Windows system directory (using the file name winldra.exe) and modifies the registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" so that the dropped Trojan automatically restarts when the computer is rebooted.
The Trojan monitors Internet Explorer and starts logging keystrokes when the user accesses a site which has a URL containing various key words, these include 'gold', 'bank', 'paypal' and 'ebay'.
The executable may have been released by a far-right VX group, as it does contain strings such as 'CYBERFASCISM' and 'ein Volk, REICH Fuhrer!'.
Email characteristics:
Subject lines: <blank>
Body Text:
Hi, cehck the attahcment, i'ts hliarious! :)
Your pass is qwerty
Have fun!
Detection
MessageLabs detected both Trojans proactively, using its unique and patented Skeptic(tm) predictive heuristics technology.
MessageLabs Trend Analysis
According to trend analysis of MessageLabs Intelligence data, there has been a gradual occurrence of targeted email attacks against businesses and organisations over the last year. The U.K.'s NISCC (National Infrastructure Security Coordination Centre) has also issued a warning about the threat these industrial strength attacks pose to governments and large corporates.
Mark Sunner, Chief Technology Officer at MessageLabs, comments:
"The motivation behind today's new email-borne threats is far more sinister than traditional methods of large-scale attacks. New criminal methods show a preference for selecting a particular target, whether an individual or an organisation, to attack for perhaps financial or competitive gain. The architects behind the bespoke Trojan attacks we are witnessing aim to steal confidential corporate information and intellectual property. Such a breach of information could have had far reaching implications."
"In this evolving environment of customised attacks, organisations must adopt a more holistic approach to email security management; implementing stringent, formalised email security policies, alongside truly multi-layered, proactive technology measures to ensure protection against all known and unknown threats. As we have seen already, a reactive, signature-based approach will not offer any protection in these circumstances." 28.06.2005, Contentmanager
Subscribe to the newsletter | | |
| | | |
