MONTRÉAL - On December 1, 2005, two e-mail messages were sent from a computer in Western Australia to members of two different human rights organizations. Each e-mail message carried a Microsoft Word document with a previously unknown exploit that would take control of the targeted person's computer and open up a beachhead into the group's network.
The attack failed, as did a second attempt to infiltrate the same human-rights groups a week later, due in no small part to an overabundance of caution on the part of e-mail security provider MessageLabs, which initially blocked the e-mails based on the strangeness of the Word attachments. The attacks only targeted a single person at each organization and, after the two attempts, never repeated.
Targeted Trojan horse attacks are quickly becoming a major issue for the antivirus and computer-security industries. Last year, computer emergency response groups in the U.K., Canada and Australia warned of such attacks. While the United States Computer Emergency Readiness Team (US-CERT) did not issue a warning, security firms confirmed at the time that U.S government agencies and companies had already been targeted by such malicious software.
...
The attacks are also very well researched, Shipp said. One targeted Trojan was sent to five employees at one company--every single person was a member of the firm's research and development team.
...
Most of the attacks come from the Pacific Rim, emanating from Internet addresses in mainland China, Hong Kong, Australia and Malaysia. However, one IP address that consistently attacks military installations comes from a computer in California. Shipp believes that the computer could have been compromised as part of a bot net.
...
However, the antivirus industry is still moving too slowly, ISS's Corman said. The Trojan horse sold to private investigators by an Israeli couple took 18 months to detect.
"People in the industry keep talking about the Israeli Trojan horse, because that is one of the few public examples," Corman said. "But that's just one of hundreds, if not thousands, of successful attacks."
In July 2004, I was the target of an unsuccessful targeted trojan attack. It was much less advanced than the attacks of today and most likely not controlled by the same people. It came in as EXE and I was the only person in the company of thousands to get the e-mail.
With the help of Peter Kruse from CSIS of Denmark, the attachment was found to be a trojan with remote access, STMP relaying and keylogger abilities.
The trojan created a mutex with the name "CocoAzul v0.765".
This was later to be tagged by several AV vendors as the Cocoazul Worm. Several variants were created as outlined by Megasecuirty.org. Yet none of those listed match my sample in size.
Even today, detection of my sample is iffy:
No comments:
Post a Comment