Corporation caught in the cross hairs
- 01 July, 2003 12:37
My company deals with large electronic financial transactions on a regular basis, and I worry that this makes us the perfect target for a focused attack on our networks. This issue had been a theoretical one for me, however, until last week.
We do receive a great many attacks, but we aren't being singled out: Many other companies are being targeted at the same time. This leads me to conclude that either the attackers are taking the approach of targeting as many companies as possible with the same assaults and seeing which ones work, or there is so much noise in our monitoring logs that any targeted attacks are lost amid the chaos.
I have been reassured by how widespread the attacks have been. They show that we don't need to be totally secure -- just more secure than most companies. This goal is a lot cheaper and easier to achieve than perfect security, but it's only safe if no one is targeting us. If we are the target of a focused attack, hackers will keep coming back with new approaches until they find one that works.
Fairy Tale Attack
We have outsourced our e-mail monitoring to New York-based Messagelabs Inc., which offers us a guarantee that no malicious code will get past its defenses. To back up that claim, it's admirably paranoid. The company's statistics show that about one in 270 of our e-mails contains a virus. Last week, we saw a surge of suspicious e-mails. Normally, this signals a big virus outbreak, but there was no mention of this on any of the antivirus Web sites. The malicious code Messagelabs stopped was simply characterized as "Possible new Trojan software detected."
Whoever was sending these e-mails was using a "Rumpelstiltskin attack." In this type of attack, which gets its name from the fairy tale about a queen who must turn her first-born child over to Rumpelstiltskin unless she can guess his name, the attacker tries to guess e-mail address names by taking a list of common names, combining them with possible first and last initials and sending them to an e-mail server.
I wasn't too worried about the general attack, but in the middle of all those attempts, the attacker had sprinkled in real e-mail addresses of staff members. It was clear that this attacker had a list of about 200 of our employees' e-mail account names. Perhaps someone internal had leaked the list?
The address list was clearly an old one, because many of the people on it had left the company. But if the attacker had bothered to get a list of real addresses for our company, even out-of-date ones, then surely this couldn't be a random probe. It had to be targeted directly at us.
Attacker Could Return
I wasn't worried by the first approach: Trojan horse executables in e-mails are a low risk thanks to our defenses. However, if an attacker was willing to put the effort into picking us out of all the possible targets and writing a new Trojan horse for his attack, then he was unlikely to give up once he realized his e-mail attack had failed. He would be back, but with Internet Relay Chat, Web or instant messaging distribution of his software. And if our desktops weren't as paranoid as Messagelabs, his attack just might work.
I asked Messagelabs to send my team and me a copy of the code so we could analyze it. Then I checked the newsgroups. Lots of people were being probed in this way, but only by spammers. Nobody was reporting attempts to sneak Trojan horse code in by this method.
I examined the executable. The code included a series of addresses, and when it was run, the program would connect to a Web site and pull down more code. I asked Messagelabs to investigate it further and then checked out the Web address.
I found it mentioned in a few postings, but these were advertising a porn dialer, a Trojan horse tool that alters your dial-up Internet connection to call a premium-rate phone number in a foreign country, secretly running up a huge phone bill.
Then Messagelabs contacted us to say that it had identified the software as something called TROJ_DIALER.B, and we were able to back down to a more relaxed state. It seems that this wasn't the first wave of a targeted attack but rather the act of a zealous spammer. Over the next few days, other companies reported the same probing.
So as it turns out, we weren't the only target; we were just "lucky" enough to be early on the list of what turned out to be a large number of targets.
But I'm still left with a nagging doubt. What if the only attacks we detect in all the noise are those that aren't targeted? If an attacker can't be bothered to aim at a target, it seems more likely that he will make less effort to hide his attacks. Could there be attacks that are targeted but stealthy enough to escape detection?
It is all a moot point, however, because to get the funds required to perfect security, I'll need evidence of the targeted attacks that I can't detect amid all the other events.