The perfect attack against your security?

The perfect attack against your security?

Summary: A socially engineered e-mail, which contains a Trojan file that exploits a zero-day vulnerability and then hides behind a rootkit, might be the perfect attack and impossible to defend against.

SHARE:
TOPICS: Malware, Security
7

A socially engineered e-mail, which contains a Trojan file that exploits a zero-day vulnerability and then hides behind a rootkit, might be the perfect attack and impossible to defend against.

Patrick Runald, senior security specialist at Finnish antivirus firm F-Secure last week told me that some users are obliged to open certain documents as part of their job -- so no amount of education can stop such an attack.

For example, if an HR director receives a CV, what is he supposed to do?

"Even if you know a lot about computers and you know you shouldn't open all attachments, if you receive a document file and it looks valid, it contains something about your work, you are obliged to open it.

"And then it contains a zero-day exploit and will install a Trojan onto your system, typically hidden by a rootkit, which makes it very difficult to detect with an antivirus program," Runald told me in a video interview last week.

When asked how companies can defend against social engineering, he said it was a "difficult" problem.

"You have to install patches -- that is what you have to do," added Runald.

Another problem here is that simply by writing this, am I helping the bad guys or the rest of us -- so we know what we are facing?

This is really scary -- suggestions anyone?

Topics: Malware, Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • We have seen this before....

    This has been discussed before at http://www.antirootkit.com/blog/2006/11/30/rootkits-in-corporate-espionage/

    One of these days something big will happen to someone big because of rootkits,
    regards
    John
    anonymous
  • Good advice

    Patrick Runald is so very correct -- a good, frequent patching regimen is crucial. As well, as some sort of desktop protection, of course (e.g. local firewall, etc).
    anonymous
  • Or follow basic security procedures

    Nearly all attacks can very easily be stopped - simply don't have users running as administrator. Without admin rights, any nasties that come in through an email/web browser/etc exploit essentially can't infect your computer, let alone install a rootkit.

    There's the very occasional privilege escalation attack, or vulnerability in software running with elevated privileges (ironically most often in antivirus or other "security" software), but these are in the order of at most a couple a year and usually require specific hardware or software.

    The main problem is that a some Windows software doesn't run nicely in non-administrator mode, but more seriously Windows users have got used to having full system access all the time (and being able to install anything anywhere without a password).

    Running as non-administrator won't protect you from everything, but it cuts the number of attacks that will work on your system from hundreds (thousands?) per year to one every few years. Any corporate IT department that lets it's users run as administrator deserves every singe bit of trouble it gets them.
    anonymous
  • Alternative OS

    What are using an OS that is not so prone to viruses and trojans?
    anonymous
  • Why dont you use opensource as perimetral defense?

    I dont think this is a real threat, the guy is talking about infected files FOR windows.
    THe problem solves using opensource platforms, if you dont want to migrate your desktops, then use mail gateways and proxies for it, that checks for content, type of file, header of files, etc. As for example, for mail I use MailScanner + ClamAntivirus + SpamAssasssin + Postfix as mail gateway, it works great for up to 800 mail users, 1200 stations, And for Internet I use squid proxy with policy restructions per user, this way my users are fairly protected against malware.

    Hope this helps to anybody
    anonymous
  • no, patching isn't the only answer!

    A few security vendors out there have been tracking these threats for some time and already have new technologies in place to protect against them. Perhaps this can't be solved by antivirus alone, but with the right combination of protection (IPS, behavioral AV, shellcode exploit detection, etc.) in your desktop product, you can! I know that SPI Dynamics and ISS have discussed this in the news... a quick Google search found these articles about the threat and the solution:
    http://www.infoworld.com/article/07/05/02/shell-code-attacks-loom_1.html?APPLICATION%20SECURITY
    http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1243042,00.html
    anonymous
  • Web based apps, virtual machines, dedicated PCs

    There are several viable approaches for jobs that have to open suspect attachments:
    - Work online in an ASP/Google office-type environment
    - Use a pristine virtual PC (your own server or via the web i.e., G.ho.st.)
    - Configure a limited functionality/connectivity PC zoned or off your corproate net w/ no addressbook, etc.
    Some slice of your assets will always be at risk until you get to the point of opening each new attachment in it its own stripped down VM sandbox.
    anonymous