Icelandic Volcanic Eruption Used in Targeted Attacks

Posted on behalf of Dan Bleaken, Malware Data Analyst, Symantec Hosted Services

At the end of March, MessageLabs Intelligence reported on a wave of targeted attacks that used the upcoming FIFA World Cup as a hook.

Around the same time, March 20 to be precise, a volcanic eruption beneath Iceland's Eyjafjallajokull glacier, later created an ash cloud that forced complete airspace closures across northern Europe in mid-April.  Disruption to air travel continued through the end of April and more recently there has been major disruption to transatlantic flights as the ash cloud drifts south over Western Europe (Spanish/Italian airspace).

UK airspace was shut down for 6 days, for the period between April 15-20.  One day after UK airspace re-opened, much to the relief of travellers all over the world, MessageLabs Intelligence intercepted a targeted email attack that struck at the very peak of interest in the volcano.  It was timed to perfection, when people all over the world, either stranded themselves, or finding out information on behalf of someone who was stranded, were very receptive to any news relating to the volcano, and in particular the movements of air traffic.
First some background on targeted attacks.

What is a targeted attack?

• Probably the most damaging type of internet threat
• Takes place via email
• Designed to target a specific individual or organisation
• Aim is to extract sensitive/valuable information
• Used to gain competitive advantage, blackmail, harm reputation, gather intelligence/spy, steal secrets/designs/ideas, other information

What are some of the common characteristics of a targeted attack?

In identifying whether or not malware is targeted, several factors are taken into account such as:

• Generally a low volume of mails for each attack, to one or very few recipients.  Typically Symantec Hosted Services block 500,000 malicious emails per day, of those <100 are targeted attacks.
• Likely to be sent to high profile clients especially government/public sector
• Likely to have themes around political or newsworthy events
• Attachment types most likely to be doc or pdf
• Likely to be from a webmail account (adds legitimacy)
• Often attackers try to convey a sense of importance or urgency to open the attachment
• Sent to high seniority recipients as they have access to the most valuable/sensitive information (60% of targeted users are of a high seniority: Manager or above)
• Can be sent to family members, personal webmail accounts etc, in an attempt to have the attack forwarded into the organisation, or to the target, of interest.
• There are many, many more indicators.  Our experts are skilled at differentiating targeted attacks from other (bulk-mailed or spammed) malicious emails that are blocked by MessageLabs Skeptic anti-malware technology.  

Because of the pin-point nature of targeted attacks, volumes have remained steady in a world of increasing bulk-mailed spam and malware.   However, so far in 2010, the average number of attacks seen per month has been relatively high, only outnumbered in March 2009 around the time of the G20 summit.

A technique commonly seen in targeted attacks is to use legitimate details in the mail but to urge recipients to open a malicious attachment, and therefore have their PC or network compromised in some way.  After all, this is the ultimate goal of the attacker.  Another important factor is that two thirds of attacks are directed at the very highest seniorities in business and in government (they have access to the most valuable and/or sensitive data).  So an effective way to get the recipient’s attention is for attacks to have an official, business or political theme, or relate to interesting or newsworthy events.  This volcano related attack is no exception.

The attack poses as the International Air Transport Association (IATA), who support and represent approximately 230 airlines comprising 93% of scheduled international air traffic. The attackers moved quickly to craft the attack. They cut and pasted text directly from an IATA press release that was posted on IATA’s site on April 19: ‘Re-Think Volcano Measures - Governments Must Base Decisions on Fact Not Theory’ (http://www.iata.org/pressroom/pr/Pages/2010-04-19-01.aspx, safe to visit). They picked up the name of the director of corporate communications and inserted that into the body of the email, and spoofed the From: address of the attack to match that name.

The attacks were emailed from a free web-based email service (gawab.com). Webmail services such as these are often favoured in targeted attacks as discussed in Tony Millington’s blog at the end of March (http://www.symantec.com/connect/blogs/why-some-webmail-services-may-be-favored-targeted-attacks) and the March MessageLabs Intelligence report (http://www.messagelabs.com/mlireport/MLI_2010_03_Mar_FINAL-EN.pdf). Using webmail adds legitimacy to attacks and often makes it more difficult to trace the location of the sender, depending on which webmail service is used.

The only bit of text that was not cut and pasted from the IATA press release, was the line ‘Please find attached EXCEL file for IATA survey on aviation restrictions and flights cancellation in Europe’. This is the crucial part, the hook, or ‘call to action’, that the attackers have added to tempt the recipient into opening the attached Excel document.

It’s relatively uncommon to see targeted attacks using Excel docs, normally it’s PDFs, straight exe files, or Word docs. For the targeted attacks seen since the start of April, the attached filetypes used break down as: ‘.pdf’ 41%, ‘.exe’ 18%, ‘.doc’ 14%, ‘.xls’ 7%, ‘.scr’ 4%, ‘.ppt’ 1%.

The attack was targeted at 17 very specific recipients working within two of a particular country’s major government organisations, between 0649 and 0719 GMT on 21/04/2010 (a little over a day after the IATA press release). The press release was still very current and very likely to be of interest to the recipients.

Government/Public Sector organisations are in most danger from targeted attacks. Approximately half of Governement/Public sector organisations would have had 1+ attacks sent to them since April 1. Education (1 in 4 organisations sent 1+ attacks since April 1), manufacturing industries (1 in 7 since April 1), and financial organisations (1 in 10 since April 1), are very popular with attackers too. It essentially boils down to who has the most sensitive or valuable data.

The malware makes use of a vulnerability in Office 2007, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3005. 

It uses an exploit in Excel to execute shellcode, this creates a directory %system32\”2048”, and places an additional file here c:\windows\system32\2048\lscss.exe. This file is then executed and runs in the background. It lies dormant for about 5 minutes before eventually connecting to one of 3 different websites.

The bottom line is, as with all targeted attacks, that the attack creates a backdoor to the victim’s machine, a method of bypassing normal authentication, which then enables the attacker to stealthily help themselves to data on the victim’s PC, and/or access other systems on that network. In this scenario the ‘server’ (infected machine) attempts to contact to ‘client’ (attacker).

MessageLabs blocked the attacks not using signature based detection (useless on such carefully crafted/fresh attacks), but using its Skeptic anti-malware technology to identify suspicious/malicious characteristics of the email and excel attachment. At the time of the attack, just 10-15% of other security vendors would have blocked this attack (23/04/2010: 4/41 VirusTotal, 6/39 AV Test). Detecting targeted attacks (arguably one of the most damaging threats to businesses/organisations) is one of MessageLabs’s specialities. For more information about targeted attacks, take a look at ‘Targeted Trojans take aim’ http://tinyurl.com/2duvl87 .