By Don Clark
Apr. 3, 2013
For those who wonder why computer hackers seem to keep evading company defenses, a new study from FireEye provides some insights. One reason is the sheer volume of attacks; another is how they evolve to avoid detection.
The latest report from the Silicon Valley security firm–whose software sits inside many companies and watches internal data traffic–finds that events associated with the malicious code known as malware occur at each organization once every three minutes, on average. FireEye counts things like receiving booby-trapped email file attachments, as well as actions taken by malware already installed, such as “calling home” to command-and-control servers managed by attackers.
Technology firms, by far the most frequently targeted, experience about one event per minute, FireEye reports.
One of the most popular ways to attack companies is called phishing, in which employees are fooled into clicking on email attachments with legitimate-sounding names. The FireEye report lists the most common, with “UPS” being the top single phrase in file names, with “FedEx,” “HP,” “details,” “documents,” “tracking,” “invoice” and “Xerox” also ranking highly.
Files compressed with the format known as Zip make up a surprisingly high proportion of malicious file attachments–a whopping 92%, FireEye found. Few companies decide to block all such file attachments, not wanting to miss out on useful documents. And firewalls and other security software find that opening and analyzing Zip files in a timely fashion takes too much computer power.
“Decompressing takes a lot of CPU cycles,” says Zheng Bu, FireEye’s senior director of research. “Hackers figured that out.”
Nor is the presence of “digital certificates”–a form of encryption that can indicate code comes from a trustworthy source and has not been modified–much of a defense. FireEye found numerous examples of malware that have been digitally signed with certificates that have been hijacked, stolen, or revoked, or that are otherwise invalid.
Organizations seeking to screen out malware often focus on attachments containing “.exe” files, which typically indicate the presence of executable software as opposed to static documents that don’t pose a threat. For that reason, FireEye says, the firm has identified a growing number of malicious payloads contained in files called dynamic link libraries, or DLLs–modular chunks of code and data popularized byMicrosoft MSFT +0.98%, which can be used by more than one program at the same time.
Suspicious DLL files are harder to distinguish, particularly if hackers use the precise filenames used by legitimate Windows DLLs but put them in different directories, as FireEye says happens now frequently.
Many of these techniques were exemplified in an attack called Operation Beebus, which FireEye previously identified as having successfully helped filch information from at least six U.S. aerospace companies it did not identify.
To give an idea of how victims at these companies were fooled into activating the malware, FireEye included samples of how the attachments were labeled. Among the file names: “FY2013_Budget_Request.doc,” “NationalHumanRightsActionPlanofChina(2012-2015).pdf,” and “SecurityPredictionsfor2012and2013.pdf.”
Bu says the bottom line of the report is that the cyber warfare going on is a lot broader and more intense than is commonly thought. “It is very, very severe,” he says. “It is more difficult and dangerous than most people are thinking about.”