Targeted Trojan Email Attacks
Attack Description
Once a trojanised attachment is opened, the remote attacker may use it as a launchpad to gain full control of the user’s machine. A compromise poses a threat to the confidentiality, integrity and availability of data stored on the computer and its associated networks. It could also be used to launch attacks against other networks.
Files used by the attackers are often publicly available on the Web or have been sent to distribution lists. The attackers are able to receive, trojanise and resend a document within 120 minutes of its release, indicating a high level of sophistication.
The trojanised files can be common types such as databases, documents, executables (.exe) and help files (.chm) and are often compressed (.zip or .rar). The files exploit known software vulnerabilities to install a trojan on the user’s computer.
A number of open source3 and bespoke trojans, altered to avoid antivirus detection, have been used. The wide variety and constant evolution of the trojans used appears to be an attacker strategy to identify the conditions needed to successfully penetrate a network.
Detection Advice
Detection is an important step in implementing effective protection against the attacks as it allows appropriate and timely responses to incidents. Implementing the following measures will improve detection of the attacks:
- Implement the methods described in the Current Advice document (http://www.niscc.gov.uk/niscc/docs/currentAdvice.pdf), particularly from the sections on Detection (paragraph 5) and Protective Monitoring and Intrusion Detection Systems (IDS).
- Investigate anomalous slow-running machines, looking for unknown processes or unexpected Internet connections, as this may be an indication of malicious programs operating in the background. User reports of such behaviour should be encouraged and fully investigated.
Download file here
