Ingezonden persbericht
MessageLabs Intelligence Targeted Attack Report:
Cybercriminelen blijven zwakke plekken uitbuiten
- Word maakt comeback als meest courante exploit vector -
Brussel, 23 mei 2007 - MessageLabs, een vooraanstaande leverancier van geïntegreerde messaging- en webbeveiligingsdiensten aan bedrijven in heel de wereld, heeft nieuwe gegevens bekendgemaakt over de omvang, de slachtoffers en de bronnen van gerichte e-mailaanvallen in april 2007. MessageLabs onderschepte vorige maand 595 e-mails in 249 afzonderlijke gerichte aanvallen op 192 verschillende organisaties. In 180 van de gevallen ging het om aanvallen uit één bron op één doelwit. De aantallen liggen lager dan vorige maand, vooral als gevolg van de verminderde activiteit van een Taiwanese bende, "Task Briefing" genaamd, die de CVE-2006-0022 PowerPoint exploit gebruikt. Er was ook een daling van het aantal aanvallen met .exe-bestanden. Vijfennegentig procent van de gerichte aanvallen in april 2007 gebruikten Microsoft Office suite exploits.
Microsoft Word is opnieuw de meest courante vector voor exploits geworden. We zien een stijging van het aantal aanvallen met Word-documenten die een SmartTag exploit bevatten, CVE-2006-2492. Deze aanvallen zijn dramatisch toegenomen, van vier aanvallen naar vier individuele ontvangers in maart 2007 naar 66 aanvallen gericht op 273 ontvangers in april.
Hoewel de PowerPoint-aanvallen in april afnamen, waren de aanvallen met exploit CVE-2006-0022 het werk van de Taiwanese bende "Task Briefing", die haar naam dankt aan de onderwerpregel van de e-mails die ze verstuurt. De bende voerde deze maand zes aanvallen uit met 61 e-mails, goed voor 10 procent van alle gerichte e-mailaanvallen in april. De langste aanval duurde 45 uur. In maart verstuurde dezelfde groep 151 e-mails, die meer dan 20 procent van de gerichte aanvallen vertegenwoordigden.
"We zagen deze maand een sterke opstoot van documenten die de CVE-2006-2492 exploit gebruikten," zegt Alex Shipp, Senior Anti-virus Technologist, MessageLabs. "Het ziet ernaar uit dat meer dan een hackersbende deze Microsoft Word exploit gebruikt. Het is dus mogelijk dat er een kit bestaat voor het genereren van exploits, maar deze nog niet gevonden."
Een bijkomende aanval met dezelfde PowerPoint exploit, die deze keer van een IP-adres in China vertrok en 14 Japanse e-mailadressen aanviel, doet vermoeden dat er een tweede criminele groep actief is.
Een volledig rapport is verkrijgbaar op:
http://www.messagelabs.com/Threat_Watch/Intelligence_Reports.
# # #
Over MessageLabs:
MessageLabs is een toonaangevende leverancier van geïntegreerde diensten voor messaging- en webbeveiliging met meer dan 15.000 klanten in ruim 80 landen, uiteenlopend van kleine bedrijven tot ondernemingen uit de Fortune 500. MessageLabs biedt een scala aan beheerde beveiligingsdiensten voor de bescherming, controle, versleuteling en archivering van communicatie via e-mail, instant messaging en het web.
Deze diensten worden via de wereldwijde infrastructuur van MessageLabs afgeleverd en 24 uur per dag door beveiligingsexperts ondersteund. Dit vormt een praktische en kostenefficiënte oplossing voor het beheren en beperken van risico's en voor gegarandeerde betrouwbaarheid bij de uitwisseling van bedrijfsinformatie. Bezoek www.messagelabs.com voor meer informatie.
# # #
Mediacontacten:
Kirsten Ackroyd, MessageLabs, +44 (0) 207 291 7939, kackroyd@messagelabs.com
Jeroen Fermie, Weber Shandwick, +32 (0)2 282 16 33, jfermie@webershandwick.com
---- --
Be certain
MessageLabs Intelligence Special Report:
Targeted Attacks April 2007
During April 2007 MessageLabs intercepted 595 emails from 80 targeted attacks. 92 different domains were targeted,
belonging to 68 different customers.
The breakdown by file type is as follows
Attacksbyfiletype .chm, 2%
April 2007
.exe, 3%
.chm, 1% .ppt 14%
.xls,4%
.exe
15% .xls
.ppt 17%
45%
.doc
35% .doc
64%
March 2007
Key differences from last month:
· The number of attacks are down from last month, 249 to 80
· Microsoft Word is back as the most common attack vector, taking over from Microsoft PowerPoint
· One reason for both of these is the drop in attacks by the "Task Briefing" ring using the CVE-2006-0022 PowerPoint
exploit
· Another reason is the increase in attacks using Microsoft Word documents which exploit CVE-2006-2492
· Attacks using EXE files also declined
© MessageLabs 2007
The majority of the attacks consist of an individual email sent to a single person. This is a tactic to avoid signature-based
malware detection.
120
Numberofemailsperattack
April 2007 100
Single email attacks are currently
the most common
80
60 skcattaforeb
mu
40 N
20
---
1 2 3 4 5 7 8 9 10 11 14 16 19 20 25 26 28 53
Number of emails per attack
Once again attacks are more usual on weekends. There was also a small tail off around Easter (Easter Sunday was 8th
April).
16
Targetedattacksperday
April 2007 14
12
10
8 skcattaforeb
6 muN
---
---
---
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
Day of Month
---
Most organisations targeted were in the public sector. Aviation was the next most targeted sector.
Targetorganisations
April 2007 epyt
60%
50% noitazinagro
40% hcaeta
30% detegrat
rer laci sn
20% skcattafo
r n me sci oitacin lacit
otces oitaiva utcafu tro gnitl
ps u uca
na us hcorte noitacu aide g
m ec ygolo er gnihsil 10%
cilb n n
m nart oc p de egatnecreP
m nortcele liater moc yratili
wal mrah nidliu msiru bu
up m nanif p b ot hcet usiel p
The emails per country graph shows the country for the IP address that connected to the MessageLabs infrastructure.
However, this does not give the full picture. For instance, most emails originating from the US were actually from Google
or Yahoo mail servers. Similarly, most emails from Russia are actually being relayed through newmail.ru, and may
originate anywhere. Lastly, even if the true email sender PC is known, it is likely that this is a compromised machine
anyway, and is being manipulated from elsewhere into sending the email.
This is done to disguise the true origin of the attack.
Most of the emails from Taiwan were the work of one criminal ring, as discussed later.
Office exploits
95% of targeted attacks used Office exploits this month.
The exploits used can be broken down as follows:
Emails Exploit Application
273 CVE-2006-2492 Word
75 CVE-2006-0022 PowerPoint
28 CVE-2006-0009 PowerPoint
20 CVE-2006-6456 Word
1 CVE-2006-3590 PowerPoint
180 Unknown Various
Use of the CVE-2006-2492 exploit has really taken off this month, and is examined in some detail later.
All but 14 of the emails containing the CVE-2006-0022 were sent by the criminal ring examined in last month's report.
This ring is re-examined this month.
The 80 unknown exploits are currently being investigated. As of the time of the report, it is not known whether these are
new zero-day exploits, old exploits, or variations on old exploits.
Microsoft has released patches which fix the known exploits. More details on the exploits and patches can be found
here.
CVE-2006-0009 MS06-012 http://www.microsoft.com/technet/security/bulletin/MS06-012.mspx
CVE-2006-0022 MS06-028 http://www.microsoft.com/technet/security/bulletin/MS06-028.mspx
CVE-2006-2492 MS06-027 http://www.microsoft.com/technet/security/bulletin/MS06-027.mspx
CVE-2006-3590 MS06-048 http://www.microsoft.com/technet/security/bulletin/MS06-048.mspx
CVE-2006-6456 MS07-014 http://www.microsoft.com/technet/security/bulletin/MS07-014.mspx
Attacks using CVE-2006-0022
CVE-2006-0022 is a PowerPoint exploit, explained more fully here
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0022
Most of the attacks using this exploit were made by the criminal ring that was featured in last month's report. We
have decided to name this ring the "Task Briefing" ring from the subject line of one of the emails they use. They are
characterised by:
· Sending their emails from Taiwan
· Using a small set of emails
· Using the same exploit file for long periods of time
· Using the same sender address for long periods of time
· Using the same download server to host their malware
---
This month the ring made no changes to their modus operandi, sending all emails from Taiwan, and using the same
email PowerPoint file and sender address each time. The sender address was cssrc@publicl.wx.js.cn. The subject lines
of the two emails used by this ring roughly translate to:
· Task briefing
· All control point
The ring made 6 attacks this month, sending 6 emails to 2 companies. 9 different IP addresses were used, the longest
for 45 hours. All IP addresses came from Taiwan. The emails accounted for just over 0% of all targeted emails.
30
"TaskBriefing" ringattacks
April 2007 25
20 slia
15 meforeb
muN
10
---
---
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
Day of Month
This is down from last month, when they sent 5 emails, accounting for just over 20% of all targeted emails, and is one
of the reasons that the use of PowerPoint exploits has fallen behind the use of Word exploits.
---
According to the VirusTotal web site, 6 AV companies now detect this exploit file, which is up by 1 from last month.
There was one other attack using the CVE-2006-0022 exploit. The modus operandi suggests that this is a second ring
operating. The attack came from an IP address in China, and targeted 14 Japanese email addresses from 8 companies.
The email was in Japanese, with a subject line which roughly translates to ` North Korean's
begging diplomacy.'
Attacks using CVE-2006-2492
CVE-2006-2492 is a SmartTag exploit in Word, explained more fully here
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2492
Attacks have really taken off using this exploit this month . There were only 4 attacks and 4 emails last month,
compared to 66 attacks and 27 emails this month.
One interesting question is, is this the work of one criminal ring, or many? If many, just how many are involved. In the
past, we have seen a generator that created documents with CVE-2006-6456 exploits. Has a generator been published
for this exploit, or is each ring creating the documents from scratch using their own tools? Is someone selling these
exploits to third parties?
To answer these questions is not easy. The methodology used is to group together attacks which have similar features.
The more similar features, the more likely it is that two attacks belong to the same group. Some features have more
weight than others, and if shared may guarantee that two attacks belong to the same group. For instance, if two attacks
both download the same file from the same server, it is extremely likely they should be grouped together. Other factors
considered are the target email addresses, email text, attachment names, subject lines, shellcode used, and exploit
encoding scheme used.
In previous months, we incorrectly classified this exploit as CVE-2006-0524. This has been corrected for in the
calculations. 6
This analysis suggests that the 66 attacks were sent by not more than 27 groups. However, the modus operandi in each
case is still similar enough that it is possible that there was only one group. Investigations will continue as more data
becomes available to see if this figure can be refined.
Of the potential groups, the top were responsible for 22, 8 and 5 attacks. 8 groups were responsible for only one
attack each. It seems unlikely that any group would only send one attack in a month, and therefore it is possible that as
more data becomes available over the coming months, the maximum number of groups will decrease from the current
27.
Typical email with Word attachment using the CVE-2006-2492 exploit.
Analysis by Alex Shipp, Senior Anti-virus Technologist
---
---- --