Phishing attacks and links to malware appear in millions of emails every day. But a very tiny proportion, or 0.01 percent of all malware, comprises targeted attacks. Given that targeted attacks account for such a small percentage of malware, should we be concerned?
Here are some typical characteristics of a targeted attack. These will help you decide whether they’re something to be concerned about:
- The malware file is sent to a very small number of victims, often only one. Thus there is little or no chance of detecting it using signature-based antivirus techniques. Unless the victim realized the file contained malware, and sent it to their antivirus company, there is no one else in the world that has a sample that can be used to create a signature.
- The malware file is often a file traditionally thought of as a data file, such as a PDF or DOC file. This has two effects. Firstly, such files pass through email gateways, because most businesses send and receive such files all the time. Secondly, people are used to considering these files as safe, and so can be easily persuaded to open them.
- These data files are crafted to cause some problem with the application that opens them. Typically this problem will cause code to execute, not from the known and trusted application itself, but code buried in the data file. Once this happens, it is "game over" for the computer because the attacker can cause any code they like to be run.
The most common way the attack now proceeds is for a small EXE file hidden inside the data file to be decoded and then executed. This EXE file then goes out to the Internet and downloads further components. The attacker now has control over the target computer.
A targeted attack is comparatively expensive to assemble. A one-off piece of malware has been used that is technically difficult to create. The attack itself is often well researched, with complex social engineering to a selected person in the target organization.
Lastly, the organizations selected for this type of attack are mostly well known, large companies or smaller technical companies -- in other words, companies with information that is worth stealing.
It is my contention then, that these targeted attacks are a form of industrial espionage. The computers are compromised so that the attacker can penetrate a corporate network and steal confidential data that is funneled back through the Internet to the attacker.
Although it may seem like a small number, 100 attacks each day is actually a significant cause for concern. The likelihood is that major companies that have not detected any targeted attacks over the last few years have already been attacked and compromised without even knowing it.
— Alex Shipp, Senior Anti-Virus Technologist, MessageLabs