The new breed of trojans

By on

A sinister new trend is emerging, with specially crafted trojans targeted at individual companies. The threat reveals the use of malware in industrial or even state-sponsored espionage.

Unlike the traditional virus outbreak, where millions of viruses pass through the internet randomly looking for new hosts to infect, this threat is aimed at a small number of domains and recipients, leading at least one expert to think criminals are stealing confidential data to order.

"The architects [of] the attacks we are witnessing aim to steal confidential corporate information and intellectual property," said Mark Sunner, CTO at MessageLabs.

The trojans are designed with the express intention of not only getting into a specific company, but also onto specific computers. Such trojan variants are seen only once or twice before they disappear.

By contrast, traditional trojan attacks can be measured in the millions.

Alex Shipp, senior antivirus technologist at Messagelabs, revealed that one target was an aerospace company. The anatomy of the trojan showed that its intention was to seek out computers with CAD software installed.

"It looked as if the attacker was looking for technical drawings," said Shipp.

Similar attacks have also targeted government departments, finance institutions and human rights organizations.

A common thread in all the infected emails is that they contained Word documents. Macro viruses are well known, but these mailed files contain no macro code – instead, the Word file is malformed, which causes a buffer overflow thread (via a VBE exploit) which creates the trojan from code elsewhere in the file. This code is also encrypted in order to avoid detection.

Other experts believe that because the threat was small in number, although significant in nature, it is hard to stop.

"These new threats are almost invisible. Unlike spam, they don't want to be found," said Mark Murtagh, technical director at Websense. "Just because you can't see them doesn't mean they aren't there."

One way to deal with them is to secure endpoint devices to allow only trusted applications to run, and disallow connections to dubious sources.

But Murtagh urged caution in locking down devices – users still need the flexibility to work.

Copyright © SC Magazine, US edition

Most Read Articles

Log In

|  Forgot your password?