JPCERT-AT-2011-0028
JPCERT/CC
2011-10-28
<<< JPCERT/CC Alert 28.10.11 >>>
Targeted Email Attacks
https://www.jpcert.or.jp/at/2011/at110002.txt
I. Overview
As has recently been reported in the media, there has been an
increase in the spread of malware through targeted e-mails sent to
specific organizations and corporate groups. Infection of a user's
computer by malware attached to a targeted e-mail may result in the
theft of corporate or organization confidential information by the
attacker. There is also a risk of the malware infection spreading to
other computers and servers connected to the company network from the
infected PC.
JPCERT/CC has confirmed cases of malware in the form of document
files that exploit vulnerabilities, as well as in the form of
executable files in recent targeted e-mail attachments. In these cases,
most of the document form malware that exploit vulnerabilities
utilized known vulnerabilities, and infection would have been
prevented had security updates been applied.
JPCERT/CC has also confirmed executable file form malware that uses
misleading icons to trick users into opening the file, as well as
using RLO (Right-to-Left Override) to disguise file name extensions.
In order to prevent damage from these targeted e-mails, JPCERT/CC
recommends implementing the steps described in "III. Solution".
II. Detection of Targeted E-Mail Attacks
Targeted e-mail attacks are generally performed stealthily, and
their target scope is relatively small. This makes them difficult to
detect. Attacks and malware infection may be detected by regularly
confirming the following items.
It is recommended that system administrators regularly check the
following items in order to detect if their organization is the target
of a targeted e-mail attack, or if it has been infected by malware as
a result of such an attack.
- Check for unusual internal/external traffic in traffic logs
Regularly check logs and gateway devices such as routers,
firewalls, and proxy servers, and confirm whether there has been
any unusual traffic.
(JPCERT/CC has confirmed the existence of malware which
communicates using ports 80 and 443, so detection based on
transmission port alone may be difficult.) For example, check if
there have been communications with countries that are not
normally accessed, or frequent communications from computers or
servers outside of business hours.
- Unplanned server reboots
There have been cases in the past where malware infection has been
detected due to unplanned server reboots. If any unplanned server
reboots occur, check the system just in case for unauthorized
intrusion.
- Regular virus scanning
Malware may be updated periodically in response to commands issued
by attackers. When this happens, old malware may remain on hard
disks. Such old malware may not have been detectable by anti-virus
software at the time of infection, but later virus pattern file
updates may have enabled the anti-virus software to detect the
malware. Therefore, old malware may be detectable by regularly
running full hard disk virus scans. However, even if old malware
is removed, undetectable new malware may still be running. It is
recommended, for example, that computers in which malware has been
found are moved to an isolated network, and their behavior
observed in order to confirm if they are attempting any unintended
communications. If this is not feasible, please consider
consulting with the anti-virus software vendor.
III. Solution
The following targeted e-mail countermeasures are recommended for
use on client PCs. Attacks frequently exploit known vulnerabilities,
so application security updates should be immediately applied, if they
have not been applied already.
- Keep the operating system and applications up to date;
- Microsoft Office products, etc.
- Adobe Reader/Acrobat/Flash Player
- Oracle Java SE
- If suspicious e-mails, or e-mails with even slightly suspicious
aspects, are received, do not open any attachments, or consult
with a system administrator
- Keep anti-virus software pattern files up to date
Some recent software has protective modes or employs other
approaches to allow files to be used safely. It is recommended to use
the latest versions of applications whenever possible.
Even if the measures above are implemented, malware infection can
occur if a user opens an executable malware file. Perform the steps in
"V. Introduction to IT Security Inoculation" - "IT Security
Inoculation", and consider improving the computer literacy of users.
IV. JPCERT/CC Incident Response
The spread or new occurence of damage by malware can be prevented by
shutting down the servers malware uses to propagate itself, and
prevent new damage.
If incidents are reported to JPCERT/CC, it can take steps to shut
down the sites being used in the attack, so please contact JPCERT/CC
via one of the following.
JPCERT Coordination Center
Incident reporting: https://www.jpcert.or.jp/form/
- Web form: https://form.jpcert.or.jp/
- E-mail: info@jpcert.or.jp
V. Introduction to IT Security Inoculation
JPCERT/CC carries out IT security inoculation training in order to
improve the security consciousness of general employees and system
administrators, and publishes its results.
In IT security inoculation, harmless fake targeted e-mails are sent
to subject employees (up to twice per employee) in order to further
their understanding of targeted e-mails, and improve their security
consciousness. IT security inoculations have been performed at
multiple companies, with the likelihood of employees opening fake
targeted e-mails dropping for the second e-mail, so the inoculation
shows promise for increasing computer literacy. Please see the
following research reports for information regarding the techniques
and effectiveness of IT security inoculations.
Research Report on IT Security Inoculation - 2009
http://www.jpcert.or.jp/research/#inoculation2009
Research Report on IT Security Inoculation - 2008
http://www.jpcert.or.jp/research/#inoculation2008
If you wish to perform an IT security inoculation, manuals and tools
are available free of charge from JPCERT/CC. Please contact JPCERT/CC
at the following address.
JPCERT Coordination Center
Contact
- E-mail: office@jpcert.or.jp
VI. References
The Growing Threat of Targeted Cyber Attacks
http://www.ipa.go.jp/about/press/20111018.html
Confirmation of E-mails Containing Virus Payloads, Claiming to Be Part of Study Regarding Infection by Viruses Targeting Companies in Japan and Using RLO Control Code to Hide Attachment Extensions
http://blog.trendmicro.co.jp/archives/3555
Keep Your Software Up to Date!! - Security Intelligence Report 11 - Security Intelligence Report 11
http://blogs.technet.com/b/jpsecurity/archive/2011/10/20/3460367.aspx
If you have any further questions or information regarding this
alert, please contact JPCERT/CC.
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top