Targeted Attacks in 2013

It can all start with what looks like an innocuous email containing a link to a potential job opportunity. Or perhaps it’s an unexpected phone call from someone claiming to be a high-ranking employee, asking you to process an invoice sent by email. It may even be lying in wait behind a website you frequently visit for work.

In many ways, targeted attacks have become public enemy number one in the corporate world, if anything, just for the potential havoc a successful attack can wreak. Stolen intellectual property, a loss of faith by customers, or simply general embarrassment are just a few of the potential outcomes of these attacks.

In this month’s Symantec Intelligence Report we take a detailed look at targeted attacks in 2013. While new techniques have yet to surface in the threat landscape so far this year, we’ve found that attackers have been busy refining established practices, adding new tricks to attack methods such as watering holes and spear phishing in order to increase the likelihood of snaring their intended targets.

We analyzed targeted attack trends over the last three years to get a better feel for how attackers are operating. While we’ve noticed that attacks per day are lower compared to last year, attacks are up 13 percent over a three year period.

We’ve also noticed a change in intended targets. While attacks against Manufacturing made up almost a quarter of all targeted attacks in 2012, it seems that attackers have shifted to services industries, where more than a third of attacks have been aimed so far this year.

We also take a look at the times of the year attackers are more likely to kick off targeted attack campaigns, as well as the type of malicious payloads they’re using. For instance, just how effective do you think emailing an executable as an attachment is in 2013? You might be surprised.

I sat down with Stephen Doherty, one of our leading threat researchers, for a Q&A discussion around the Hidden Lynx group, which carried out targeted attacks and breached some of the world’s best protected organizations. Symantec Security Response recently reported details on this group in a Symantec whitepaper, “Hidden Lynx – Professional Hackers for Hire.”  Here’s a quick sample of our discussion:

They’re cutting edge in what they do. They have access to the latest exploits. We’ve seen them using spear phishing attacks, and VOHO was a large watering hole campaign. To get into quite hard to reach places they have used supply chain attacks.

We go on to talk about who the Hidden Lynx group is, how they operate, and what they’re after, as well as what the future might hold for these attackers.

We hope you enjoy reading the September Symantec Intelligence Report. You can download your copy here.

Don’t trust VPNs? Create your own with a friend and a browser extension

A browser extension being developed for Chrome and Firefox will let Web users create VPN-like connections to the Internet by routing all their traffic through a friend's trusted connection.

Consumer VPNs—like the CryptoSeal service that shut down due to fears over government snooping—let users create secure connections to a VPN provider's data center. The user's traffic is sent to the rest of the Internet only after it gets encrypted and pushed through the VPN service.

The new "uProxy" will work in a similar way except that your traffic is routed through a friend's secure connection before traveling to the rest of the Internet. Both you and your friend would need to have a browser extension installed and running for it to work. You could also use uProxy to route traffic through your home Internet connection when you're out of the house and on a public Wi-Fi network.

Read 6 remaining paragraphs | Comments


Spammers Bypass Twitter’s URL Restrictions in Direct Messages

Following media reports that Twitter has restricted URLs in direct messages, spammers found a way around this restriction this weekend in order to push diet pill spam links.


Figure 1. A direct message sends users to the tweet containing the spam link

We first noticed this when someone we follow on Twitter, who has never followed us before, started following us. Shortly after receiving the notification that we had a new follower, we received a direct message from the user.


Figure 2. A malicious link sent to a Twitter user through direct message

Unlike the usual Twitter spam, the link found in the message had directed us back to Twitter. It was a link specifically to a tweet, which the user had posted on their account.

The link found within the tweet, led to a common type of diet pill spam, which had been found on various social networks over the years.


Figure 3. Clicking on the links directs users to a diet spam Web page

By searching for the keywords “I recommend site” on Twitter, we found hundreds of Twitter users who tweeted similar links. This means their accounts had also been compromised and many of their followers received direct messages similar to ours.


Figure 4. Users’ tweets containing diet pill spam links

Upon further investigation, we discovered that Twitter is currently blocking links to URL shortening services, such as and TinyURL. When we attempted to send the links from these services to friends through a direct message, we received an error message.


Figure 5. Twitter support article notes changes being made to direct messages

Twitter may be blocking these links in direct messages because spammers typically mask their spam domain links through these shortening services. A note found on a Twitter help center article states that back-end restructuring efforts may prevent some URLs from being sent. Despite this issue, spammers have found a workaround to continue their efforts.

If you or someone you know sent out a spam link through a tweet or direct message, Symantec recommends that you follow these steps to ensure that your account is no longer compromised.

Ransomcrypt: A Thriving Menace

While Ransomlock Trojans have plagued the threat landscape over the last few years, we are now seeing cybercriminals increasingly use Ransomcrypt Trojans. The difference between Ransomlock and Ransomcrypt Trojans is that Ransomlock Trojans generally lock computer screens while Ransomcrypt Trojans encrypt (and locks) individual files. Both threats are motivated by monetary gains that cybercriminals make from extorting money from victims.

Recently, a new threat detected by Symantec as Trojan.Ransomcrypt.F (AKA Cryptolocker) has been growing in the wild. Trojan.Ransomcrypt.F encrypts data files, such as images and Microsoft Office documents, and then demands payment through Bitcoin or MoneyPak to decrypt them—all within a countdown time period. This Ransomcrypt Trojan uses strong encryption algorithms which make it almost impossible to decrypt the files without the cryptographic key.


Figure 1. Trojan.Ransomcrypt.F payment screen

Most of the Trojan.Ransomlock.F infections observed by Symantec have been in North America.


Figure 2. Trojan.Ransomlock.F infection map

The initial attack vector involves an email containing a malicious Trojan.Zbot attachment that downloads and then installs Trojan.Ransomlock.F on the compromised computer. The Ransomcrypt Trojan employs a domain generation algorithm (DGA) to find an active command-and-control (C&C) server.


Figure 3. Ransomcrypt DNS requests

Symantec customers are protected by the intrusion prevention signature (IPS) System Infected: Trojan.Ransomcrypt.F, which blocks the Trojan’s access to the generated domains.

Malware authors use DGAs to free their malware from reliance on just a handful of static servers. Instead, malware like Trojan.Ransomcrypt.F use dynamically generate domain names based on some criteria (usually including the current date). This makes it more difficult to block traffic based solely on domain name filtering.

An interesting feature of this Trojan’s DGA is the employment of a Mersenne twister to generate random numbers for the generated domain names. Trojan.Ransomcrypt.F uses the GetTickCount and QueryPerformanceCounter Windows functions to generate seed values for the Mersenne initialization routine.


Figure 4. Trojan.Ransomcrypt.F Mersenne twister initialization

Modular arithmetic is used on the Mersenne twister output value to keep it in a 0–1000 range. This value is then mixed with the current date to produce up to 1,000 generated domain names per day.

Mersenne twisters are unusual to see in malware samples but we have seen them used before, specifically in Trojan.Zbot.


Figure 5. Trojan.Zbot Mersenne twister initialization

When we compare Trojan.Zbot and Trojan.Ransomcrypt.F we see code similarities that lead us to believe there may be a connection between the two Trojans. The Zbot source code is freely available on the Internet for modification.

Users should never pay any ransom to have their files decrypted. The latest Symantec technologies and Norton consumer and Symantec enterprise solutions protect against these kinds of attacks. Backup and restore files if necessary.