Six months ago, in the previous volume of Symantec's Internet Security Threat Report,I wrote that we were seeing a shift away from “noisy” worms towardstargeted Trojans that attract less attention. In the second half of2006, this trend remained true, as the volume of Trojans reported bySymantec customers increased and the volume of worms decreased. At thesame time, a lot of these Trojans are becoming more sophisticated.
In the latest edition of the Internet Security Threat Report,we note that multi-stage downloaders, also referred to as modularTrojans, are becoming more prevalent most likely because of theirversatility. The first stage of these downloaders is usually a smallTrojan that disables your security and antivirus applications thendownloads a more complex threat. Since the initial stage disablessecurity applications, the second stage can be almost anything theattacker chooses, including older threats that would otherwise havebeen detected by antivirus.
Frequently, the second stage will be a threat that allows some sortof remote access or can accept commands from the attacker. This way,once the attacker has a foothold into your computer with the firststage, they can take full control with the second stage. Once they havecontrol, they can do almost anything they want with your computer likedownloading other threats, stealing personal information, or loggingkeystrokes.
Another common use for computers that have been compromised likethis is to be used as an email relay for sending spam and phishingmessages. Using someone else’s computer for this keeps the attacker’sown computer from being added to DNS block lists. Sometimes the firstindication users have that their computer is being used as an emailrelay is when their ISP suspends their account after it shows up on ablock list.
The increase in this activity is likely also tied into the increasein phishing messages over the last six months of 2006. During thisperiod, Symantec Brightmail AntiSpam blocked 19 percent more phishingmessages than in the first half of 2006.
Once again, brands in the financial services industry were targetedmost frequently by phishing attacks. This isn’t surprising sincephishers can quickly turn a profit from a successful phishing attackagainst a financial service brand. They can simply log into the phisheduser’s account and transfer all the available funds to an account theycontrol.
While financial services made up 84 percent of phished brands in thelast half of the year, retail brands only accounted for five percent.At the same time, though, financial services accounted for 64 percentof phishing Web sites reported to the Phish Report Network while retailservices accounted for 34 percent. This means that a small number ofretail brands are being heavily phished and a wider variety offinancial services brands are targeted.
So why would such a small number of retail brands be heavily phishedin comparison to a wide variety of financial brands? Most likelyphishers are experiencing enough success attacking only a few retailbrands or they feel that only a few brands are worth attacking. Somefinancial institutions have begun implementing anti-phishing measureslike two-factor authentication to protect their customers. (Two-factorauthentication consists of using a password or PIN number generated bythe user plus a physical device such as a one-time password list orphysical token that generates random numbers.) This may have forcedsome phishers to broaden their attacks to target financial institutionsthat don’t have such measures in place.
As you can see, whenever attackers hit a roadblock they adapt theirmethods. Everyone – from users to network administrators – has to makesure to adapt along with the attackers. Complacency can lead to a falsesense of security since you may think you’re protected and know allabout today’s threats, but what about tomorrow? For more information,please see Symantec's
Internet Security Threat Report.