The US Computer Emergency Readiness Team (CERT) has just issued the following bulletin:
The United States Computer Emergency Readiness Team (US-CERT) has received reports of an email based technique for spreading trojan horse programs. A trojan horse is an attack method by which malicious or harmful code is contained inside apparently harmless files. Once opened, the malicious code can collect unauthorized information that can be exploited for various purposes, or permit computers to be used surreptitiously for other malicious activity. The emails are sent to specific individuals rather than the random distributions associated with a phishing attack or other trojan activity. (Phishing is the act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that can be used for identity theft.) These attacks appear to target US information for exfiltration. This alert seeks to raise awareness of this kind of attack, highlight the important need for government and critical infrastructure systems owners and operators to take appropriate measures to protect their data, and provide guidance on proper protective measures.
There are two distinct elements that make this attack technique significant. First, the trojans can elude conventional protective measures such as anti-virus software and firewalls, both key measures in protecting the US Critical Infrastructure networks. A number of open source and tailored trojans, altered to avoid anti-virus detection, have been used. Trojan capabilities suggest that exfiltration of data is a fundamental goal. Second, the emails are sent to specific or targeted recipients. Unlike "phishing" attacks, the emails use social engineering to appear credible, with subject lines often referring to work or other subjects that the recipient would find relevant. The emails containing the trojanized attachments, or links to websites hosting trojanized files are spoofed, making it appear to come from a colleague or reliable party. The email attachments exploit known vulnerabilities to install a trojan on the user's computer. When opened, the file or link installs the trojan. Trojans can be configured to transmit information to a remote attacker using ports assigned to a common service (e.g., TCP port 80, which is assigned to Web traffic) and thereby defeat firewalls. Once the trojanized attachment is opened, a remote attacker can then perform the following functions:
Due to the targeted distribution of trojans spread in this way and the possibility of communication with remote attackers using ports assigned to common services, detection of this activity is problematic. US-CERT advises that system administrators take the following actions: