Targeted Trojans: A new online

threat to businesses
MessageLabs has detected an insidious new online threat to business. Find out about
targeted trojans and how to protect yourself against them

Author: Mark Sunner, Chief Security Analyst, MessageLabs

Table of Contents
Introduction 3
Industrial Espionage by Trojan 3
Traditional protection doesn’t work 3
Trojan attack 3
MessageLabs: Be certain 4

2
 Introduction

If you were a criminal mastermind and you wanted to steal secrets from a company,
the easiest way to do it is with a custom-written virus or trojan aimed at an individual
in the target company. MessageLabs have seen an alarming rise in this type of
attack in recent months.

Industrial Espionage by Trojan

These attacks are still relatively few in number but their economic impact could be
significant. If you get attacked by a regular virus, it will cost you time and money to
clear up and your reputation may be damaged when company computers start
sending out spam email or other irritations. However, if you are attacked by a
targeted trojan, your confidential information, product designs, plans, R&D data or
other secrets could end up in the hands of competitors. In simple terms, it’s
industrial espionage by virus.

The people behind these new attacks have also found new ways to trick people into
Your confidential installing an email-borne trojan. (Named after the legendary Trojan horse, a trojan is
a kind of computer virus that infects a computer by pretending to be a legitimate
information, program or file.) They exploit new or little-known problems with Microsoft Office
applications so the viruses are embedded in Word, Excel or PowerPoint documents.
product designs, Most companies strip out attachments that look like applications from email but
business documents are commonplace attachments. This means that infected
plans, R&D data attachments are more likely to reach users.

or other secrets The attackers also use social engineering to trick people into opening the files and
infecting their computer. For example, they use data from social networking services
(e.g. Facebook, Linked-In etc) and company websites. Using internet search
could end up in engines and, say, public records stored at Companies House, they can easily find
out a lot about your business’s senior management. They can craft an email that
the hands of appears to come from your finance director, addressed to you by name and which
contains a spreadsheet called ‘Draft figures for the AGM.’ It would look trustworthy
competitors but could contain a trojan.

Traditional protection doesn’t work

To make matters worse, custom-written, one-off trojans are likely to evade

traditional anti-virus programs. The problem is that traditional anti-virus programs
rely on DNA-like ‘signatures’ extracted from live viruses to prevent future attacks.
Put simply, virus researchers wait for a widespread attack to develop before they
can find the antidote and distribute it.

It’s like doctors rushing to administer a vaccine after the plague has claimed its first
few victims. However, this approach doesn’t prevent one-off targeted trojans. If
patient zero is the only patient, nobody will discover the outbreak, let alone find the
vaccine.

Trojan attack

At the beginning of the year, MessageLabs predicted that it would see 20 of this
th
kind of emails a day. However, on the 26 of June, the company detected 514 in
just two hours. This was an unprecedented increase and indicated that a new
perpetrator had entered the scene.

Subject lines such as “Information from the FSA,” “Customer Complaint” or “Invoice”
were common. While they targeted virtually every sector; the attackers singled out
the public sector, electronics, aviation, retail, communications, finance and military
organizations. Nearly all of them were targeted at board level executives, such as
CEOs, CFOs and CIOs.

3
 Based on MessageLabs analysis, the following table shows a breakdown of the
most targeted job titles that have been chosen for these attacks:

Table 1: Most targeted job tiles

Who is behind these attacks? There is an unholy alliance between organized crime
and criminal hackers. There are online market places where you can buy an off-the-
shelf trojan for around $200 that is guaranteed to get past all signature based anti-
virus programs They even offer updates and maintenance contracts. Much of this
activity seems to take place in Russia and Ukraine while most of the messages
actually originate from China. There is a burgeoning market for virus know-how and,
You can buy an it seems, a market for people prepared to use it to find out secrets.

off-the-shelf trojan In the past, creating these attacks has been very difficult. To do it required a
combination of skills and collaboration between criminal hackers. For example,
someone had to find operating system flaws that let viruses attack. Someone else
for around $200 had to write the code that finds the data. Then someone else had to craft the
infected emails to make sure that people opened them. Now, much of this has been
that is guaranteed commoditised and it is available online for a price, leaving data thieves to
concentrate on social engineering and targeting.
to get past all
signature based MessageLabs: Be certain
anti-virus Every day nearly 200 billion emails move through the internet and MessageLabs
programs scans over 300m of them. About three quarters are spam and about one in a
hundred contain a virus. How do you detect a one-off virus that is targeted at one
individual in one company? It’s not like looking for a needle in a haystack. It’s like
looking for an atom on a needle in a haystack.

The only way to catch these targeted attacks is to analyze each email attachment at
a high level of detail to find anomalies and tell-tales. MessageLabs uses its
proprietary Skeptic engine to perform detailed analysis of the attachment’s
proprietary encoding format. It’s very processor-intensive. Most traditional anti-virus
programs run on computers that do other things, such as email servers or your
laptop. They simply don’t have the horsepower to devote to this kind of forensic
approach. MessageLabs, in contrast, has thousands of high-powered computers in
their data centres that do nothing but scan emails for malware.

There is another advantage to the MessageLabs approach. Unlike traditional

software solutions, it is impossible for virus-writers to test whether MessageLabs will
detect a new virus or not. They can’t buy MessageLabs Anti-Virus in the shops and
install it on their own computers. This means that MessageLabs catches viruses and
trojans that get past other anti-virus programs.

4
The targeted trojan problem looks set to continue. “All bets are off now,” says
MessageLabs Chief Security Analyst, Mark Sunner. “We will definitely see more
attacks like this.” With so much at stake, the only way to be certain is to choose
MessageLabs.

MessageLabs provides a highly effective and integrated set of on-demand services

to protect, control web and email traffic so that customers can use these business-
critical tools safely and productively.

MessageLabs Email & Web Security service stops threats from reaching your
network, delivering total protection from viruses, trojans, phishing, spyware and the
latest targeted attacks.

For a free trial, visit www.messagelabs.com/trials/free

5
www.messagelabs.com
info@messagelabs.com

Freephone UK
0800 917 7733

Toll free US
1-866-460-0000

Europe Americas
HEADQUARTERS AMERICAS HEADQUARTERS
1270 Lansdowne Court 512 Seventh Avenue
Gloucester Business Park 6th Floor
Gloucester, GL3 4AB New York, NY 10018
United Kingdom USA

T +44 (0) 1452 627 627 T +1 646 519 8100

F +44 (0) 1452 627 628 F +1 646 452 6570

LONDON CENTRAL REGION

3rd Floor 7760 France Avenue South
40 Whitfield Street Suite 1100
London, W1T 2RH Bloomington, MN 55435
United Kingdom USA

T +44 (0) 207 291 1960 T +1 952 886 7541

F +44 (0) 207 291 1937 F +1 952 886 7498

NETHERLANDS Asia Pacific

Teleport Towers HONG KONG
Kingsfordweg 151 1601
1043 GR Tower II
Amsterdam 89 Queensway
Netherlands Admiralty
Hong Kong
T +31 (0) 20 491 9600
F +31 (0) 20 491 7354 T +852 2111 3650
F +852 2111 9061
BELGIUM / LUXEMBOURG
Cullinganlaan 1B AUSTRALIA
B-1831 Diegem Level 6
Belgium 107 Mount Street,
North Sydney
T +32 (0) 2 403 12 61 NSW 2060
F +32 (0) 2 403 12 12 Australia

DACH T +61 2 8208 7100

Feringastraße 9 F +61 2 9954 9500
85774 Unterföhring
Munich SINGAPORE
Germany Level 14
Prudential Tower
T +49 (0) 89 189 43 990 30 Cecil Street
F +49 (0) 89 189 43 999 Singapore 049712

© MessageLabs 2007 T +65 62 32 2855

All rights reserved F +65 6232 2300