SANS ISC: Targeted attacks: behind the media reports

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Between Christmas and New Year, I spoke at the Chaos Communications Congress in Berlin on targeted attacks. Some basic findings included:

• Office applications are the most common targets, but utilities such as archivers that are seldom updated by the user are also commonly exploited;
• Control servers used in the attack are generally compromised boxes themselves. The connection occurs based on a DNS lookup, not an IP address. This allows the attackers to reuse an infected machine even when the original control server is cleaned by its owners. These control servers sometimes contain port forwarders connecting to another machine, often in a different jurisdiction;
• Initially, attacks were disabled and enabled remotely by "parking" the control hostname to localhost (127.0.0.1). As this is a bit obvious, newer code contains checks for specific, fake IP addresses upon which the attack is temporarily disabled. Parking addresses are generally easy to spot manually, such as 63.64.63.64;
• Hostnames are reused over several months but appear to be target-specific, while compromised IP addresses are potentially shared between targets;
• "Memes", such as funny documents that are distributed on mailing lists, are sometimes redistributed by attackers, but containing malicious code. Users are familiar with the document being sent to them and are likely to open it.

A number of people approached me afterwards telling me that most of what they learned about the issue so far came from the media, not from their peers. When I started studying the phenomenon, my approach was to contact groups that had reported very similar attacks, such as the Falun Gong community. Information and samples from these groups allowed me to gain a better understanding of the attacks. 

Targeted attacks evolve based on economies built around the information that is targeted. When information is valuable to the attacker, he will take commensurate effort to compromise it. Depending on the value, this encourages the use of novel, untested techniques. Such techniques tend to be unreliable and fail disproportionately. Failures can be detected, understood and shared. This type of sharing is part of what I refer to as security intelligence.

If you’re worried about this type of compromise, join one of the many information sharing mechanisms your industry may offer: the United States has a fair amount of ISACs (Information Sharing and Analysis Centers), and the UK offers its WARPs (Warning, Advice and Reporting Points). These organizations allow you to share information and still rest assured it is anonymized appropriately.

We are also very interested in hearing about your experiences. The Storm Center takes your confidentiality very seriously, so please do identify what we can post and what should remain private or should only refer to as generic techniques. We appreciate your contribution.

You can download the CCC presentation here or read up on the issue further here.

--
Maarten Van Horenbeeck