Targeted malware attacks: The new normal

Hackers target more than government agencies and defense contractors, according to briefing at Black Hat conference

Stealthy, targeted attacks aren't just for defense agencies and high-tech giants like Google, according to researchers from managed security services firm TrustWave's Spider Labs research group. In a talk at the annual Black Hat Briefings in Las Vegas, Nicholas Percoco and Jibran Ilyas said that so-called "advanced persistent" attacks are becoming more common and target even midsized businesses without significant intellectual property.

The researchers' presentation, "Malware Freak Show 2010," presented data culled from scores of TrustWave customer engagements during the past year. In many, the managed services firm was engaged to assess the security of a new customer's network. The researchers said that increasingly they were finding unique malicious programs designed specifically for that network.

[ Also on InfoWorld: Hackers at Defcon target cell phone security. | Get your systems up to snuff with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

"Targeted malware is the norm, not the exception," said Percoco.

The customer engagements profiled by the two researchers spanned the gamut -- from a large provider of VoIP communications and a defense contractor, to a small Miami sports bar favored by professional athletes and celebrities. While the types of attacks they uncovered weren't novel, in each case the researchers said they found that attackers had made significant improvements to the malware they deployed -- all with a goal of avoiding detection and maintaining a foothold on their victims' networks.

Advancements in malware authoring and testing before deployment, more automation of functionality, and anti-forensics features allowed remote attackers to stay on their victims' networks longer. The average length of time that malware was resident on victims networks before detection was 156 days, the researchers said.

Persistence creates other problems for victims, allowing hackers to delve more deeply into networks, looking for mission-critical internal applications and data stores that house or handle intellectual property or financial data that can be sold on the black market.

Attackers were also getting hip to network monitoring tricks and the presence of data leak protection software, gravitating to rootkit-style applications that can disguise their presence from operating systems, modifying stolen data to fool DLP filters, and using common ports and protocols to get data out of networks, the researchers said.

This article, "Targeted malware attacks: The new normal," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.


Copyright © 2010 IDG Communications, Inc.