In a military operation, a beachhead is a point where an attacking force landing by sea reaches a beach and defends it until reinforcements arrive. At this point, the reinforcements will expand the attack. What can this possibly have to do with malicious code? In the last six months, we’ve seen a large shift towards multistage attacks as described in Volume XII of the Symantec Internet Security Threat Report. The first stage of a typical multistage malicious code attack consists of a small and quiet initial downloader Trojan being installed on a computer. This initial stage may disable security applications on the computer, then download other malicious code as part of a secondary stage attack (expanding the beachhead).
Of great concern is that the secondary stages usually allow the attackers to perform a wider variety of attacks against the user. The later stages are often back doors that allow the attacker complete access to the computer and all its files, or enable them to install other Trojans. We’ve observed that many of these Trojans log keystrokes, steal confidential information, and even download further stages of malicious code.
While multistage attacks are not necessarily new, the methods whereby attackers are installing them on users’ computers are changing. In the past, the initial stage would commonly be shared on P2P networks, offered as “crack” programs for popular software packages or through some other social engineering technique. The user would download the file thinking it was some other application then execute it only to compromise their computers.
Newer multistage attacks are more frequently installed through the user’s Web browser when they visit a malicious site. The thing is, the malicious nature of these sites may not be immediately obvious to the user. For example, an attacker can use some of the more robust features of Web 2.0 technologies on legitimate Web sites to have the Trojan installed on the user’s computer by exploiting a browser vulnerability. Or, as was the case with the recent MPack attacks, attackers can compromise legitimate Web sites to redirect the user’s browser to a malicious server that exploits vulnerabilities in popular browser plug-ins to install a downloader Trojan.
Social networking sites are another prime example of attackers exploiting trust relationships to install multistage Trojans. An attacker can compromise a user’s account on one of these sites (perhaps through a phishing attack or malicious code that allows them to steal confidential information) then post a link to a malicious Web site on the user’s page or send messages to the user’s contacts through the social networking site containing such links. While many users have been conditioned not to follow links or open files they receive through their normal email accounts, they have not yet applied this caution to other media.
Because the Web browser is the user’s primary gateway to the Internet, it is not surprising that attackers are leveraging it to install malicious code. As new Web technologies become available, attackers seem to be adopting it faster than ever before as a means of compromising users. Because they are taking advantage of these new technologies to exploit users through trusted Web sites, it is no longer sufficient to prevent malicious code infection by avoiding unknown and untrusted sites.
For more information on this and other topics, please see Volume XII of Symantec's Internet Security Threat Report.