Stealthy, targeted attacks aren’t just for defense agencies and high-tech giants like Google, according to researchers from managed security services firm TrustWave’s Spider Labs research group.
In a talk at the annual Black Hat Briefings in Las Vegas, Nicholas Percoco and Jibran Ilyas said that so-called “advanced persistent” attacks are becoming more common and target even midsized businesses without significant intellectual property.
The researchers’ presentation, “Malware Freak Show 2010,” presented data culled from scores of TrustWave customer engagements during the past year. In many, the managed services firm was engaged to assess the security of a new customer’s network. The researchers said that increasingly they were finding unique malicious programs designed specifically for that network.
“Targeted malware is the norm, not the exception,” said Percoco.
Related Article: Foreign spies have already hacked your systems
The customer engagements profiled by the two researchers spanned the gamut — from a large provider of VoIP communications and a defense contractor, to a small Miami sports bar favored by professional athletes and celebrities. While the types of attacks they uncovered weren’t novel, in each case the researchers said they found that attackers had made significant improvements to the malware they deployed — all with a goal of avoiding detection and maintaining a foothold on their victims’ networks… [Next Page]
Advancements in malware authoring and testing before deployment, more automation of functionality, and anti-forensics features allowed remote attackers to stay on their victims’ networks longer. The average length of time that malware was resident on victims networks before detection was 156 days, the researchers said.
Persistence creates other problems for victims, allowing hackers to delve more deeply into networks, looking for mission-critical internal applications and data stores that house or handle intellectual property or financial data that can be sold on the black market.
Attackers were also getting hip to network monitoring tricks and the presence of data leak protection software, gravitating to rootkit-style applications that can disguise their presence from operating systems, modifying stolen data to fool DLP filters, and using common ports and protocols to get data out of networks, the researchers said.