The latest Symantec Internet Security Threat Report
released in September reveals just how prevalent malicious code threats are becoming. In the first half of 2007, 212,101 new malicious code threats were reported to Symantec. This is a 185% increase over the second half of 2006. The new generation of malicious code is different from what we’ve seen in the past. It has evolved into a highly elusive threat, which means you may not even notice that you’ve been infected. But if any machine in your small or medium-size business does become infected, your business data could easily become compromised.
Staged downloadersTraditionally, malicious code was delivered directly to the intended target. However, today’s malicious code infects computers in new ways. Often, malicious code is installed by attackers who lure users into visiting Web pages that exploit vulnerabilities in the browser or its components. The malicious code itself does not directly exploit a vulnerability in this scenario, but instead is installed on a computer after the vulnerability is exploited.
The introduction of staged downloaders brings another dimension to malicious code. Staged downloader attacks use the initial compromise as a type of beachhead from which they can launch subsequent attacks, which often involves infecting the system with multiple Trojan horses.
The Internet Security Threat Report found that Trojan horses made up 54% of the top 50 malicious code reports in the first six months of 2007, an increase over the 45% reported in the final six months of 2006. Most staged downloaders consist of Trojans – in fact, eight of the top 10 staged downloaders this reporting period were Trojans. Also, 35% of computers reporting potential malicious code infections this period reported more than once. Seventeen percent of all computers reporting potential infections reported two potential infections – indicating the strong possibility that a staged downloader had invaded these machines. Of the top 10 new malicious code families detected in the first six months of 2007, four were Trojans, one of which had back door capabilities. Trojans are usually the first means of entry for a staged downloader.
The initial Trojan is frequently written for a specific purpose or target. For example, it may be installed when the user accidentally visits a Web page that exploits a browser vulnerability. To avoid being noticed, the initial Trojan is usually quite small in size. The initial stage may disable security applications in place to make way for subsequent infections. The main functionality of a staged downloader system is contained in the second (or possibly third) stage. Frequently, the second stage will be a threat that allows some sort of remote access, enabling the PC to accept commands from the attacker. Once they have control, Trojans are able to do almost anything to your computer, such as downloading other threats, stealing personal or business information, or logging keystrokes.
While a user may discover the first infection before the malicious code is able to send personal information back to the attacker, he or she might not be as fortunate with subsequent infections. For example, in the case of a staged downloader, the first infection may disable the security applications on the compromised computer, while the second infection contains a keystroke logger or some other remote access threat. After that, attackers can do what they wish – from uploading and downloading potentially unwanted files; to making changes to the registry; or stealing passwords, account numbers, and other personal identifiers.
Unfortunately, launching these threats is getting easier. In fact, Symantec researchers have noted an increased use of crimeware kits that are sold on the black market. The kits make it easy for almost anyone to launch exploits across the Internet. Launching exploits and stealing financial and other sensitive data can be a lucrative endeavor for these attackers.
One of the most important things you can do to stop staged downloader infections is to educate your employees so they know what to be aware of, and how to avoid risky online behavior. Just one wrong click on the Web can lead to a malicious Web page, resulting in a compromised system. Social networking sites like MySpace and Facebook, as well as online gaming sites, are the source of many infections. Often, an attacker will hide behind the legitimacy of these Web sites to attract victims by enticing unsuspecting users to click on their link. Another common tactic is to periodically display fake security alerts that claim the computer is infected. Clicking one of the error messages can take you to a Web page hosting malicious code. Also, any site that prompts you to install a download before viewing should be avoided. Encourage your employees to use caution when browsing the Web, and avoid clicking on anything that is the least bit suspicious – and that goes for incoming email, too. Links in spam messages often go to malicious Web pages.
The large number of staged downloaders demonstrates the need for antivirus signatures to be kept up-to-date. Since signatures are created in response to new threats in the wild, it is vital that businesses maintain the most current antivirus definitions. In addition to having a regularly updated antivirus solution in place, firewalls, intrusion detection, and intrusion protection systems should also be installed and periodically, verified on every client machine.
The nature of staged downloaders offers insight into the explosion of malicious code in recent months. Trojans are quietly making their way onto systems around the world, compromising the security of businesses everywhere. Understanding the nature of this new generation of malicious code, sharing your knowledge with your employees, and keeping your security solutions up-to-date will go a long way toward stopping these kinds of threats.