In-Depth

In Brief

Targeted Trojan Attacks Increase, Security Zaps Productivity, Spyware Distributor Settles

• By Mathew Schwartz
• 06/29/2005

Targeted Trojan Attacks Increase

Britain’s National Information Security Coordination Center (NISCC) warns of an increase in targeted attacks utilizing Trojan code. “A series of ‘Trojanised’ e-mail attacks are targeting [the] UK government and companies,” it says in a statement. “The attackers’ aim appears to be covert gathering and transmitting of commercially or economically valuable information.”

Trojan code arrives attached to e-mails or through links in e-mails, and typically requires an end user to open the attachment or click a link and download and run software, for the Trojan code to infect a PC. Most carrier e-mails utilize some form of social engineering, spoofing addresses to make the attachment or URL appear relevant. Then, “once installed on a user machine, Trojans may be used to obtain passwords, scan networks, exfiltrate information, and launch further attacks,” notes NISCC. The software may also replicate to other network PCs automatically.

To defend against Trojan attacks, NISCC recommends organizations implement a variety of protective measures, such as disabling the preview pane in e-mail software, and implementing intrusion detection software. Don’t rely on antivirus software alone to stop Trojan attacks. In particular, Trojan code written to attack a single organization may bypass antivirus scanning engines, which can only stop known-bad code.

NISCC also recommends organizations “investigate anomalous, slow-running machines, looking for unknown processes or unexpected Internet connections, as this may be an indication of malicious programs operating in the background.” Educating end users about the symptoms of a Trojan software infection can pay dividends. “User reports of such behavior should be encouraged and fully investigated.”

To discern whether Trojan software is broadcasting sensitive corporate information outside the firewall, NISCC recommends organizations regularly review firewall logs of connections to anomalous IP addresses. Also “consider traffic analysis to identify compromised computers that are exfiltrating files,” to analyze data volume transfer sizes, and odd transfer times. Furthermore, “review mail server access logs for evidence of connections from unusual IP addresses,” since attackers may have already stolen e-mail addresses and passwords, or opened false accounts covertly.

Post-Attack, Productivity Suffers

While computer attacks can steal corporate data and take down business-critical servers, how do such attacks affect worker productivity? To find out, St. Louis-based Maritz Research recently surveyed IT managers in small and medium-size businesses.

The findings: By and large, after a security incident, almost everyone surveyed said computer downtime was rampant, with affected workers’ productivity suffering by as much as 50 percent.

Security incidents in such organizations are also not rare. For example, three-quarters of respondents say they’ve been infected by at least one virus in the last year. In the same time frame, 40 percent say they were attacked by hackers at least once.

Yet many companies eschew commonly available security tools for preventing such attacks. For example, 29 percent of organizations don’t use anti-spam software, 34 percent don’t use antivirus software, and 47 percent don’t block adware. More surprisingly, nine percent don’t use Internet firewalls. When antivirus is used, 10 percent of organizations say they never update it.

Is it any surprise many of these businesses suffer security problems and resulting computer downtime? “Clearly today’s employees are heavily reliant on computers to perform their jobs. With these statistics demonstrating how computer security and spam issues reduce employee performance, I’m amazed that we don’t see 100 percent of small and medium businesses taking advantage of the protective technology available,” notes Paul Cousino, director of the information technology research services at Maritz.

His prescription: spend money on security to boost worker productivity. “Considering the sophistication of today’s virus attacks, small and medium businesses need to take a closer look at both their preventive and responsive IT security measures. The potential return on investment is obvious,” he notes. Furthermore without such technology, “companies run the risk of serious threats to both performance and productivity.”

Spyware Distributor Settles

Alleged spyware distributor Intermix Media Inc. announced it’s settling a suit brought against it by the Office of the New York State Attorney General. Intermix will pay $7.5 million total over three years to the state of New York, and discontinue distributing adware, toolbars, and redirect software. The company says it has already ceased distributing such things.

The AG’s suit had documented at least 10 different Web sites Intermix used to distribute “free software,” which contained spyware and adware.

According to a release issued by the company, however, “Intermix emphasized that it has not admitted any wrongdoing or liability and expects the final agreement to reflect this fact.” The company says it’s also recruiting a chief privacy officer and has joined the Network Advertising Initiative (NAI), which lobbies for self-regulation by advertising companies. In an interview with Marketwatch, Intermix CEO Richard Rosenblatt says the company will avoid distributing any downloads in the future, focusing instead on enabling social networks with user-generated content. He also opined on the lack of definitions for either adware or spyware. “It’d be great for somebody—Congress or NAI—to outline what is sufficient download disclosure.”

Related Articles:

Prosecuting Spyware Disseminators
http://esj.com/security/article.aspx?EditorialsID=1388

Social Engineering Bypasses Information Security Controls
http://esj.com/security/article.aspx?EditorialsID=1308