>> TREND MICRO: TARGETED ATTACKS

>> TREND MICRO: TARGETED ATTACKS

Targeted Attacks
The story of a real-life attack illustrates that it's a lot easier than most people realize
for a determined attacker to wreak havoc, especially when the targeted systems
aren't fully prepared
A Special Report by Dave Chappelle for Trend Micro

A criminal or group of criminals sent an email inviting recipients to visit a Web site (Step 1). Some
recipients chose to visit that Web site (Step 2). Unbeknownst to the Web site visitors, their computers
were infected with downloaders (Step 3). Once the downloaders were installed, the criminals had a
conduit allowing them to listen to traffic over whatever network the infected computers were connected to.

“They really don’t need control of an entire network; they only need a way to gather or modify
information, and it only takes one compromised computer for that to happen,” said Jamz Yaneza.

“They look for spreadsheets, find a few numbers, and add a few zeroes. If this was a bank, they could
go in and add a few zeros to their own account balances. With that approach, it doesn’t look like the
work of a criminal organization, but like that of a very bad employee.”

This story actually took place. The event likely originated as an email with a link to a Web site that
contained some malicious code. In one case an employee in a specific company in Malaysia visited
such a Web site and clicked on a link, which triggered a downloader that dropped files on the
unknowing employee’s computer.

If up-to-date antivirus had been installed on the employee’s computer, a downloader would have been
detected. But that wasn’t the case here. The specific company was only using a particular product, not
a security suite or appliance. There was no blocking at the gateway. There weren’t multiple layers of
protection, and the employee’s specific company was now under the control of whoever owned the
malicious Web site.

“The initial downloader had a random character generator,” said Jamz. “Every time it went to that Web
site, new parameters were used at the end of the link, so that when the parameter changed, the type
of download also changed.”

There was a program running on the Web site that used input supplied by the downloader to determine
the type of file that would be downloaded.

“We saw downloaders, backdoors, spyware; it changed every time,” said Jamz.

“It was so malware cloak-and-dagger; a feint within a feint within a feint. It was difficult to defeat,
because every time there was a new download, there was a higher probability it wouldn’t be detected,
because it was new, and often encrypted.”

Copyright 2006 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the t-ball logo are trademarks or registered
trademarks of Trend Micro, Incorporated. TrendLabs is a service mark of Trend Micro, Incorporated. All other company and/or
product names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change
without notice.
>> TREND MICRO: TARGETED ATTACKS

These types of standard threats can be prevented with the ability to scan packets coming thru Port 80,
your browser (http) port. A firewall wouldn’t have stopped this attack, as firewalls are usually set to
allow browsers access to web pages.

“It’s difficult for ecommerce to block web access, because everybody needs to surf,” said Yaneza.

While the victims in Malaysia viewed this as a targeted attack, it wasn’t. A few unprotected
organizations in other countries also experienced the same attack.

A targeted attack is neither dependent on the size of nor number of potential victims. A virus such as
Blaster was a targeted attack that flooded the Microsoft.com update center. But Blaster had no
financial gain.

When an attack is targeted at a certain audience, the scope can be huge or small, depending on the
number of potential victims. Aiming a threat at Citibank, Amazon, or PayPal customers would provide
a very big group of potential victims. But if it were a local bank, say Rural Bank of Whatever County, it
would only be a few hundred people.

The attack success rate increases proportionately with the size of the company or industry being
targeted. If more people are targeted, it’s likely more will be tempted to open an email or click on a
link.

The components of a targeted attack are not limited by any single technique. A targeted attack can
gather passwords. It can be done once, by moving huge sums to an offshore bank account; or slowly,
in small amounts. SoBig came in as a worm, and dropped a backdoor that terminated itself after a few
days. That is an example of malware having a timed limitation on activity.

An attacker must determine the goal of an attack before launching it: Target acquisition, (Step 3); data
transmission or modification (Step 4); and entrenchment or self-termination (Step 5).

How long will that attack go on? Is the desired result a regular income stream or a lump sum? After the
goal has been achieved, the attacker’s exit strategy can be to delete the payload and disappear.

To protect yourself from targeted and broad-based attacks, ensure your security software is up-to-
date. If you manage a network, be sure to have a solution in place that blocks malware at the Internet
gateway. And don’t rely strictly on technology to keep your system safe. Delete emails from strangers
and don’t click on strange links sent from those you don’t know.

About Trend Micro Incorporated

Trend Micro Incorporated is a pioneer in secure content and threat management. Founded in 1988,
Trend Micro provides individuals and organizations of all sizes with award-winning security software,
hardware and services. With headquarters in Tokyo and operations in more than 30 countries, Trend
Micro solutions are sold through corporate and value-added resellers and service providers worldwide.
For additional information and evaluation copies of Trend Micro products and services, visit our Web
site at www.trendmicro.com.

Copyright 2006 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the t-ball logo are trademarks or registered
trademarks of Trend Micro, Incorporated. TrendLabs is a service mark of Trend Micro, Incorporated. All other company and/or
product names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change
without notice.