Hit the beaches: ISTR XII

In a military operation, a beachhead is a point where an attackingforce landing by sea reaches a beach and defends it untilreinforcements arrive. At this point, the reinforcements will expandthe attack. What can this possibly have to do with malicious code? Inthe last six months, we’ve seen a large shift towards multistageattacks as described in Volume XII of the Symantec Internet Security Threat Report.The first stage of a typical multistage malicious code attack consistsof a small and quiet initial downloader Trojan being installed on acomputer. This initial stage may disable security applications on thecomputer, then download other malicious code as part of a secondarystage attack (expanding the beachhead).

Of great concern is that the secondary stages usually allow theattackers to perform a wider variety of attacks against the user. Thelater stages are often back doors that allow the attacker completeaccess to the computer and all its files, or enable them to installother Trojans. We’ve observed that many of these Trojans logkeystrokes, steal confidential information, and even download furtherstages of malicious code.

While multistage attacks are not necessarily new, the methodswhereby attackers are installing them on users’ computers are changing.In the past, the initial stage would commonly be shared on P2Pnetworks, offered as “crack” programs for popular software packages orthrough some other social engineering technique. The user woulddownload the file thinking it was some other application then executeit only to compromise their computers.

Newer multistage attacks are more frequently installed through theuser’s Web browser when they visit a malicious site. The thing is, themalicious nature of these sites may not be immediately obvious to theuser. For example, an attacker can use some of the more robust featuresof Web 2.0 technologies on legitimate Web sites to have the Trojaninstalled on the user’s computer by exploiting a browser vulnerability.Or, as was the case with the recent MPack attacks, attackers cancompromise legitimate Web sites to redirect the user’s browser to amalicious server that exploits vulnerabilities in popular browserplug-ins to install a downloader Trojan.

Social networking sites are another prime example of attackersexploiting trust relationships to install multistage Trojans. Anattacker can compromise a user’s account on one of these sites (perhapsthrough a phishing attack or malicious code that allows them to stealconfidential information) then post a link to a malicious Web site onthe user’s page or send messages to the user’s contacts through thesocial networking site containing such links. While many users havebeen conditioned not to follow links or open files they receive throughtheir normal email accounts, they have not yet applied this caution toother media.

Because the Web browser is the user’s primary gateway to theInternet, it is not surprising that attackers are leveraging it toinstall malicious code. As new Web technologies become available,attackers seem to be adopting it faster than ever before as a means ofcompromising users. Because they are taking advantage of these newtechnologies to exploit users through trusted Web sites, it is nolonger sufficient to prevent malicious code infection by avoidingunknown and untrusted sites.

For more information on this and other topics, please see Volume XII of Symantec's Internet Security Threat Report.