Thursday, May 17, 2007

Targeted attacks are underestimated and not only in Belgium!

Two days ago, I launched this to the press:

"NOXS Press Release (May 15 2007) : Targeted attacks are underestimated in Belgium.
Targeted spyware attacks found in the neighborhood of a well known shopping area in Brussels,Belgium

Eddy Willems, Anti-Malware Technology Expert NOXS, recently found out that some companies in the neighborhood of a well known shopping area in Brussels have been constantly under attack. Several tens of new and at that moment undetectable trojans, spyware and botnets were found in two companies. Willems continues: ‘ If people and companies are not changing their mindset from reactive to proactive we will have more problems than before compared to the mass-mailing worm years. In this particular case the companies were picked out as targets because they got old security solutions in place. This is a growing problem. ’

It can be seen that across most industry sectors, virus attacks have diminished, with only a few notable exceptions. The reason for this is that the attack profile has shifted considerably in the past 12 months. Gone are the days of the large scale mass-mailed virus outbreaks such as MyDoom and Sobig, belying the trend towards more small-scale targeted attacks.

These attacks are typically for the purposes of industrial espionage or intellectual property theft. In the last year the scope of these attacks has widened considerably, especially targeting small to medium sized businesses that are often the weaker link in a much larger supply chain. Throughout the last months NOXS continued to observe an increase in the level of sophistication in the nature of the targeted attacks facing businesses worldwide. Each targeted attack is very much tailored to particular needs in terms of which exploit is used, the social engineering techniques employed as well as which source IPs are used and what the targets will be. The number of low-level targeted attacks against businesses will continue to rise throughout the year, reaching levels of as many as 20 such attacks per day worldwide. These new kind of attacks are using one or two specifically crafted emails send out to one or two users inside the targeted company. By opening the email the user is mostly redirected to a new website which is using several exploits to trigger a download of a new backdoor to the user’s pc. After this the companies network is wide open to the other new created malware and spyware which can be dropped to the pc’s. The companies network at that moment can be used to target other companies networks, send out spam, gathering information and private data which will be misused again in future attacks. The value of the private information from a small to medium sized business is sometimes worth ten thousands of Euro’s which is high compared to the low investments for creation of the new malware.

The real problem however is to find these attacks as early as possible by some proactive approaches like Intrusion Prevention and other intelligent blocking techniques. Otherwise those newly created malware will be used in some attacks to other companies before they will be detected by the patterns of the anti-malware vendors. And this is problematic as the honey pots from the anti-malware or anti-virus vendors will not detect these in an early stage. A lot of companies are underestimating these new problems and are just continuing using old anti-virus technologies as their main protection. Traditional anti-virus solutions that are signature-based provide a reactive approach and require signature updates to be effective, providing little or no defense from these kinds of often unique targeted attacks, which may only be sent to one or two targets. Studies have shown that the typical time for signatures to appear for targeted trojans is still several weeks or even months. Companies need to realize that they cannot rely solely on traditional reactive methods and need to be proactive in their approach."

What do you think? Was the media capable of picking this up? Caused this the 'so needed warning' to the public?
Of course it did not, because it's just a small problem for two small companies... at least that's what was visible. When will people and media learn that even small things could be quite problematic for everyone. I predict hereby that this kind of attacks will becoming more and more problematic as small business are definitely not using the best protection and even this statement is an understatement.

You can find the original press release at the Belgium NOXS 'Expert News page' which you can find at .
And it's not the first time that such things appear. After publishing I got a reaction from a reader of my 'NOXS Expert News' Maarten Van Horenbeeck who saw the same things happening as well.
He wrote something about it at his website:

So it's like I told you: Targeted attacks are underestimated in Belgium. They are a problem worldwide! When will this stop?