Drive-bys, spear-phishing and Trojans - the changing face of cyber security

Candid Wüest, 15 Sep 2011

Few risk landscapes evolve as quickly as those in cyber space. Malicious software, primarily aimed at gaining illicit revenue, is multiplying and mutating at a rapid rate. Major concerted attacks, such as Stuxnet, have highlighted the vulnerability of systems to sustained and organised security breaches. Evolution in hardware and software – such as mobile devices and social networking sites – highlight new potential points of cyber vulnerability. Learn about Stuxnet on Wikipedia

Learn about Stuxnet on Wikipedia

Over recent years, attacks in cyber space have continuously evolved and reached a high level of sophistication. Attack vectors have continuously adapted to new technologies. New delivery methods such as Web attack toolkits are driving up the number of malware variants in circulation. In 2010, Symantec noted more than 286 million unique variants of malware. That corresponds to more than 780.000 new malicious variants per day. More than 75 percent of these documented threats were present on less than 50 computers globally. Several variants, so called singletons, were only seen on just one machine in the wild. Malware toolkits are one factor behind these small clusters of threats. These tools are traded and sold in underground forums on the Internet and allow even non tech-savvy hackers to launch massive cyber attacks.

Drive-by download attacks

Those toolkits or construction sets are also responsible for the growth in web-based attacks, often referred to as drive-by download attacks, which have increased by 93 percent in the last year. A small malicious script is embedded into a legitimate website and activated when a user visits the site. The script then analyses what browser version and plug-ins the user has and attempts to exploit vulnerabilities in those components. With, on average, more than 600 known vulnerabilities per year across all browsers, the chances are very high that there is an unpatched hole that can be misused to plant malware on the user’s system. The infection happens without the need for any interaction from the user’s side. Visiting a web site can be enough to become infected with a Trojan horse. The more sophisticated attack toolkits will generate a new malware variant for each potential victim, with the help of encryption and mutation techniques. This leads to small groups of infections per variant. With this pattern constantly repeated, the result is hundreds of thousands of different infections per day.

Once infected, the threat will “phone home” and contact its command and control server. This set of infected machines is generally referred to as a botnet. This gives the attacker control of a potential army of hosts through the central command and control server and start sending out instructions to them. Depending on the motivation of the attacker, this could mean that all infected machines start sending out spam messages to harvested email accounts, collecting passwords and credit card numbers used by the local users or attacking other computers and servers with denial of service attacks. There are currently two main categories of attackers. The first are profit oriented, seeking to steal credit card and online banking information and with the intent to sell them on the underground market. This is estimated to be making millions of dollars per year. The second category of attackers is politically or ideologically motivated, either with malicious intent or seeking publicity.

Drive-by protection

The volume of new malware and the speed at which it appears can push traditional security solutions to their limits. Pure reactive-based technologies, like signature based anti-virus detection, where malware needs to be analysed before a fingerprint can be generated, are overloaded by the flood of malware.

However, there are proactive detection methods available, like behaviour-based analysis or reputation based detection, that can help mitigate today’s risks. A behaviour-based detection system monitors any running process for suspicious behaviour and can, if needed, stop and eradicate a malicious process, even if the system has never before seen the particular malware. One of the obvious downsides of this method is that the threat needs to be allowed to run on the system, and this makes it something of a last resort in terms of defence. Reputation-based detection, as pioneered by Symantec, can react earlier in the chain. For this purpose, millions of systems anonymously submit statistical data about running processes, such as their initial emergence and their prevalence. Together with other information, this allows the security system to make a decision on suspicious files in real-time. Files with a track record, and which are used by thousands of users and downloaded from a trusted source, are less suspicious than one-offs that have never been seen before. Good modern security products contain a combination of different methods to combat the multifaceted attacks seen today.

Stuxnet and targeted attacks

In the last 24 months, many significant targeted attacks occurred, of which Hydraq (a.k.a. Aurora) and Stuxnet are the two best-reported examples. Although these threats have been analysed in-depth, there are still many lessons to be learned from these attacks. In contrast to the drive-by download attacks which aim at infecting as many people as possible with mutating malcode, targeted attacks often attempt to only infect a handful of selected computers. The attacked targets range from publicly traded, multinational corporations and governmental organisations to smaller companies.

The motivations and backgrounds of the alleged attackers vary widely. Some attacks have been much more effective—and dangerous—than others. All the victims had one thing in common, though—they were specifically targeted and compromised. In most cases, the attacker needs only to target one user with access to network or administrative resources, even where that access is limited. A single negligent user or an unpatched computer is enough to provide attackers an entry point into an organisation in order to mount additional attacks on the enterprise from within, often using the credentials of the compromised user.
Many organisations have implemented security measures such as isolated networks to protect sensitive computers against worms and other network intrusions. The Stuxnet worm, however, proved that these “air-gapped” networks can be compromised and still require additional layers of security. While Stuxnet is a complex threat, not all malicious code requires this level of complexity to breach an isolated network. Because an increasing amount of malicious code incorporates propagation mechanisms through removable media such as USB drives, isolated networks require some of the same policies and protection as user networks. Endpoint protection that blocks access to external ports, such as a device control policy, can help defend against these threats.

Once inside an organisation, a targeted attack attempts to avoid detection until its objective is met. Exploiting zero-day vulnerabilities is one part of keeping an attack stealthy. This refers to the use of a publicly unknown vulnerability which has no current available security patch. Zero-day vulnerabilities enable attackers to install malicious applications on a computer without the user’s knowledge. Rootkits also often play a role as tools to hide suspicious code from system tools by embedding themselves deep in a system’s core. While rootkits are not a new concept, techniques continue to be refined and redeveloped as attackers strive to stay ahead of detection tools. Many of these rootkits are developed for use in stealth attacks. There are also reports of targeted attacks using common hacker tools. Tools such as attack toolkits are essentially “off the shelf” malware that enables the attacker to save money and reach its targets faster. However, innovation runs in both directions, and attacks such as Stuxnet are an example of how targeted security breaches are studied by cybercriminals who then copy and adapt tools and techniques in order to create massive attacks.

The second phase of Stuxnet

Spreading in specific environments and infecting key computers was only one part of Stuxnet’s blue print. Stuxnet did not only infiltrate networks and steal sensitive data; it was also targeting hardware components of supervisory control and data acquisition (SCADA) systems. The attack was actively searching for two very specific devices of programmable logic controllers (PLC) used in machine automation. When the correct type of PLCs was found, a check on the configuration was performed and the payload was triggered only when an exact match was encountered. This ensured that Stuxnet would only attack automation systems of a predefined type used in a selected environment. Of course, this also means that some insider knowledge was needed by the author of the code in order to accurately pinpoint this setting. Later analysis showed that the rare conditions were most likely targeting a uranium enrichment facility in Iran. The payload of Stuxnet would manipulate the spinning frequency of the gas centrifuges, speeding them up and slowing them down in a repetitive pattern multiple times. It is thought that this would eventually sabotage the enrichment process and annihilate the rate of yield. Eventually, after some time, this manipulation would also lead to physical damage to the centrifuges themselves. In order to stay hidden, Stuxnet was further able to send recorded data from normal operation mode in an endless loop to the dashboard console, convincing the engineers that everything was running smoothly. Stuxnet was the first digital malware that lead to physical damage in such a precise matter and on such a large scale. Consequently, it is not surprising that many discussions on cyber warfare and cyber defence started after details of the Stuxnet incident emerged.[1]

Social networks

Social networks continue to be a security concern for organisations. Companies and government agencies are trying to make the most of the advantages of social networking and keep employees happy while, at the same time, limiting the dangers posed by the increased exposure of potentially sensitive and exploitable information. Additionally, malicious code that uses social networking sites to propagate itself remains a significant concern.

Targeted attacks are often preceded by research and reconnaissance. Attackers can construct plausible deceptions using publicly available information from company websites, social networks, and other sources. Malicious files or links to malicious websites can then be attached to, or embedded in, email messages directed at certain employees, using information gathered through this research to make them seem legitimate. This tactic is commonly called spear phishing.

For example, many people’s social networking profiles will often list employment details such as the company they work for, the department they work in, other colleagues with profiles, and so on. While this information might seem harmless enough to divulge, it is often a simple task for an attacker to discover a company’s email address protocol (eg, and, armed with this information, along with any other personal information exposed on the victim’s profile, create a convincing ruse to dupe the victim. For example, by finding other members of the victim’s social network who also work for the same organisation, the attacker can spoof a message from that person to lend an air of additional credibility. This might be presented as an email message from a co-worker who is also a friend, containing a link purporting to be pictures from a recent vacation (the details of which would have been gathered from the social networking site). With a tantalising enough subject line, the ruse can be difficult for most people to resist because the point of social networking sites is to share this type of information.

Attackers can also gather other information from social networking sites that can indirectly be used in attacks on an enterprise. For example, an employee may post details about changes to the company’s internal software or hardware profile that may give an attacker insight into which technologies to target in an attack.

While increased privacy settings can reduce the likelihood of a profile being spoofed, a user can still be exploited if an attacker successfully compromises one of the user’s friends. Because of this, organisations should be proactive in instructing their employees about the dangers of posting sensitive information. Clearly defined and enforced security policies should also be employed.

Spear-phishing attacks can target anyone. While the high profile, targeted attacks attempt to steal intellectual property or cause physical damage, many of these attacks simply prey on individuals for their personal information. In 2010, for example, data breaches caused by hacking resulted in an average of over 260,000 identities exposed per breach—far more than any other cause. Breaches such as these can be especially damaging for enterprises because they may contain sensitive data on customers, as well as employees, that even an attacker can sell on the underground economy or use to harm the brand’s reputation. Companies are advised to use data loss prevention (DLP) solutions in order to monitor the use of sensitive information. This usually includes a process to define what information is critical and where it is stored in the first place.

Mobile threats

Since the first smartphone came to the market, there has been speculation regarding the vulnerability of these devices. While threats targeted early “smart” devices such as Symbian and Palm in the past, none of these ever became widespread and many remained proof-of-concept. Recently, with the growing uptake in smartphones and tablets and their increasing connectivity and capability, there has been a corresponding increase in attention, both from threat developers and security researchers.

While the number of immediate threats to mobile devices remains relatively low in comparison to threats targeting PCs, there have been new developments in the field. As more users download and install third-party applications for these devices, the chances of installing malicious applications also increases. In addition, because most malicious code is now designed to generate revenue, there are likely to be more threats created for these devices, as people increasingly use them for sensitive transactions such as online shopping and banking.

At present, most malicious code for mobile devices consists of Trojans that pose as legitimate applications. These applications are uploaded to mobile app marketplaces in the hope that users will download and install them. In March 2011, Google reported that it had removed several malicious Android applications from the Android Market and even deleted them from users’ phones remotely. Attackers also take popular legitimate applications and add additional code to it, as has happened in many cases for Android devices. Astute users were able to spot that something was amiss when the application was requesting more permission than should have been necessary. Of course it is also possible to exploit vulnerabilities to compromise mobile devices. In 2010, Symantec documented 163 vulnerabilities in mobile device operating systems, a strong rise compared to 115 in 2009.

Until recently, most Trojans for mobile devices simply dialled or texted premium rate numbers from the phone. Newer variants also attempt to create a bot network out of compromised mobile devices. While the command-and-control servers are often taken down quickly, the attempt to create a botnet out of mobile devices demonstrates that attackers are actively researching mobile devices as a platform for cybercrime.


The volume and sophistication of malicious activity has increased substantially over recent years. While it is highly unlikely that threats such as Stuxnet will become commonplace because of the complexity and the resources required to create it, it does demonstrate what a skilled group of highly organised attackers can accomplish. Targeted attacks of this nature have shown that determined attackers can infiltrate targets with research and social engineering tactics alone. This matters because recent studies have shown that the average cost per incident of a data breach in the United States was USD 7.2 million, with the largest breach costing one organisation USD 35.3 million to resolve. With stakes so high, organisations need to focus their security efforts to prevent breaches.

Social networking sites provide companies with a mechanism to market themselves online, but can also have serious consequences. Information posted by employees on social networking sites can be subject to social engineering activity as part of targeted attacks. Additionally, these sites also serve as a vector for malicious code infection. Organisations need to create specific policies for sensitive information which may inadvertently be posted by employees, while at the same time being aware that users visiting these sites from work computers may introduce an avenue of infection into the enterprise network. Home users also need to be aware of these dangers because they are at equal risk from following malicious links on these sites.

Attack toolkits continue to be a dominant force in Web-based attack activity. Their ease of use, combined with advanced capabilities, make them an attractive investment for attackers. Since exploiting existing vulnerabilities will eventually cease to be effective, toolkit authors will need to incorporate new vulnerabilities in order to stay competitive in the marketplace. Toolkit authors are constantly adapting in order to maximise the value of their kits.

While the purpose of most malicious code has not changed over the past few years, as attackers seek ways to profit from unsuspecting users, the sophistication of these threats has increased as attackers employ more features to evade detection. These features allow malicious code to remain resident on infected computers for longer, thus allowing attackers to steal more information and giving them more time to use that stolen information before the infections are discovered.

Currently, mobile threats have been very limited in the number of devices they affect as well as their impact. While these threats are not likely to make significant inroads right away, their impact is likely to increase in the near future. To avoid the threats that currently exist, users should only download applications from regulated marketplaces. Checking the comments for applications can also indicate if other users have already noticed suspicious activity from installed applications.

Candid Wüest was speaking at the Expert Hearing on New dimensions in cyber risk, hosted at the Centre, 7 April 2011.


[1] For further information on Stuxnet, see

Download full article (PDF 161 KB)


Candid Wüest

Senior Threat Researcher, Symantec

Candid Wüest has been with Symantec for the last eight years and is currently working as a Senior Threat Researcher for the Global Security Response Team at Symantec Switzerland. He researches new threat vectors, analyses trends and formulates new mitigation strategies. Previously he worked for three years as a virus analyst in the anti malware laboratory of Symantec in Dublin, analysing malware and creating signatures.

Mr Wüest holds masters of computer science from the Swiss Federal Institute of Technology (ETH). He gathered extensive experience in IT security over the last fifteen years, while working for several companies, including the global security analyzing lab of IBM Research in Rüschlikon.

He has published various papers and articles in magazines and is a frequent speaker at conferences like COMDEX, VB and RSA.

Related articles

Systemic cyber/in/security – from risk to uncertainty management in the digital realm

Dr. Myriam Dunn Cavelty, 15 Sep 2011

Recent events have given the impression that cyber incidents are becoming more frequent, more organised and more costly in the damage that they inflict. Yet, while low-level micro disturbances are an everyday reality, the world has yet to see a cyber incident of systemic proportions. Establishing the likelihood of such an occurrence, however, is impossible. Systemic cyber-risks are unpredictable and incalculable due to the uncertainty surrounding them. The complexity of the socio-technical environment that they co-create makes traditional linear risk management approaches lose their meaning. This article argues that rather than trying to establish control over something that we cannot fully grasp, we need to learn how to embrace uncertainty when dealing with the digital realm. This implies a focus on dialogue and information exchange to increase situational awareness, a focus on strengthening technical and social resilience as well as sustained efforts to nurture a fault tolerant political culture that accepts the possibility of failure and lives with a certain and inevitable degree of insecurity.

Intellectual property rights in the knowledge economy

Donatella Fiala, 15 Sep 2011

We live in a knowledge based economy. Innovation and an untainted reputation are of fundamental importance to a company's success. Intellectual assets are amongst a company's most valuable assets and the means to protect and enforce them have become increasingly important. Intellectual property (IP) rights such as trademarks, patents or copyright can provide the tools to achieve this. The rise of the Internet and social networking sites present new challenges for IP regimes, as does an emerging IP market.