Information Note Number: IN05-001
Targeted Trojan E-mail Attacks
16 June 2005

Purpose
The Canadian Cyber Incident Response Centre (CCIRC) has received reports of a new e-mail-based technique for spreading Trojan horse programs. Because of the nature of this technique, standard defensive measures such as anti-virus software and firewalls are not completely effective. As a result, the risk of critical infrastructure networks being compromised by attacks employing this technique is significant. This Information Note is being issued to bring attention to this technique and to provide general mitigation advice.

Audience
This paper is primarily intended for owners and operators of Canadian critical infrastructure, including all levels of government, who should be aware of any potential threats to the security of their mission-critical information.

Background

Recently, media reports and incident reporting to CCIRC have highlighted a trend towards attackers using more targeted means of distributing Trojans. Incidents reported in Canada have involved small numbers of Trojan horse programs being spread via e-mails containing either trojanized attachments or links to Web sites hosting trojanized files. These e-mails are typically sent to specific individuals, rather than the large, random distributions associated with phishing attacks or other Trojan activity. In addition, the e-mails use sophisticated social engineering to appear credible and entice users into opening the attachment or following the link:

• The "From" address of the e-mail is spoofed, making it appear to come from a colleague or reliable third party organization;

• The subject line and text of the e-mails appear relevant to the recipient’s work, or may be copied from a previous legitimate e-mail; and

• The attachment name and type appear relevant to the text and to the recipient’s work.

Once the attachment is opened or the link followed, a Trojan is installed on the user’s computer. Based on the capabilities of Trojans used to date, the primary purpose of these incidents was the gathering of commercial, financial, or economic information. Similar cases reported in the media have been described as economic or industrial espionage.¹

Assessment

There are two elements that make this attack technique noteworthy.

First, the Trojans used in incidents reported to CCIRC sometimes circumvent anti-virus software and firewalls, two of the primary defensive mechanisms for critical infrastructure networks. The Trojans reported to date have been either mali cious code detectable by some anti-virus products, previously unseen malicious code or modifications of existing open-source Trojans. In all three scenarios, the latest version of any anti-virus software did not always detect the malicious code. Anti-virus companies must intercept a copy of a malicious program in order to update their software’s signatures so as to detect it; the targeted distribution of the malicious code in this attack technique makes this highly unlikely. In addition, Trojans can be configured to transmit information to a remote attacker using ports assigned to common services (such as TCP port 80, which is assigned to Web traffic) and thereby defeat most firewalls. Consequently, network security personnel will need to take additional measures to protect against this type of attack.

Second, the highly sophisticated social engineering employed in the incidents reported greatly increases the likelihood of users opening malicious attachments and inadvertently infecting their computers. While social engineering techniques in general have shown marked improvement in the last two years (particularly vis-à-vis phishing attacks), the targeted distribution of these Trojans allows e-mails to be highly tailored towards the intended recipients.

Information available to CCIRC suggests that attacks of this kind have been detected in other countries. CCIRC has also received a very small number of reports of attacks of this type in Canada . Although CCIRC has no information to suggest a threat to Canadian critical infrastructure overall, the vulnerability of critical infrastructure networks to such an attack is significant.

Suggested actions

Because of the targeted distribution of Trojans spread in this way, and because of the possibility of communication with remote attackers using ports assigned to common services, detection of this type of attack is problematic. In addition, there is no completely effective mitigation against this type of attack for any computer system connected to the Internet.

In general, network security staff should keep anti-virus software as up-to-date as possible so as to detect older Trojans that may be used in an attack of this kind. Because vulnerabilities in various Microsoft applications have been used to install Trojans in the past, all current patches should be applied. As well, anomalous slow-running machines should be investigated for unknown processes or unexpected Internet connections, and user reports of such behaviour should be encouraged. Finally, users should be educated not to visit suspicious Web sites or open unsolicited attachments from any source without confirming the legitimacy of the e-mail or link.

Other detection and/or mitigative actions for these types of attacks are as follows:

• Examine firewall logs of critical systems, or networks used for processing sensitive information, for connections to or from anomalous IP addresses;

• Consider traffic analysis to identify any compromised computers that are transmitting data to remote attackers. In particular, data on the size and times of HTTP or TCP port 80 connections may help detect this activity. Connections where the data volume sent is abnormal, connections taking place outside of normal business hours, or connections of short duration that appear on periodic basis should be examined closely;

• If your IT architecture allows e-mail to be accessed from the Internet, review e-mail server access logs for connections from unusual IP addresses. Some Trojans used in incidents reported to CCIRC have gathered e-mail usernames and passwords, which may be subsequently used by attackers.

Incidents of attacks using this technique, like all cyber security incidents affecting Canadian critical infrastructure, should be reported to the Canadian Cyber Incident Response Centre (CCIRC) via the Government Operations Centre at (613) 991-7000 or goc-cog@psepc-sppcc.gc.ca, to the attention of the Cyber Duty Officer.

¹In an Israel i case, a Trojan known as HotWord was spread to several companies by a competitor. The method of propagation was reportedly a Trojanized promotional CD-ROM; however, the characteristics of this method of spreading Trojans are substantively similar to the targeted e-mails described in this Information Note. See http://www.msnbc.msn.com/id/8145520/

Public Safety and Emergency Preparedness Canada (PSEPC) collects information related to cyber and physical threats to, and incidents involving, Canadian critical infrastructure. This allows us to monitor and analyse threats and to issue alerts, advisories and other information products to our partners. For more information about the Canadian Cyber Incident Response Centre, which fulfills the cyber aspect of this role, visit our web site as www.psepc.gc.ca/ccirc. To report threats or incidents, please contact CCIRC via the Government Operations Centre at (613) 991-7000 or goc-cog@psepc-sppcc.gc.ca by e-mail.

Unauthorized use of computer systems and mischief in relation to data are serious Criminal Code offences in Canada . Any suspected criminal activity should be reported to local law enforcement organizations. The RCMP National Operations Centre (NOC) provides a 24/7 service to receive such reports or to redirect callers to local law enforcement organizations. The NOC can be reached at (613) 993-4460. National security concerns should be reported to the Canadian Security Intelligence Service (CSIS) at (613) 993-9620.

PSEPC publications are based on information obtained from a variety of sources. The organization makes every reasonable effort to ensure the accuracy, reliability, completeness and validity of the contents in its publications. However, it cannot guarantee the veracity of the information nor can it assume responsibility or liability for any consequences related to that information. It is recommended that PSEPC publications be carefully considered within a proper context and in conjunction with information available from other sources, as appropriate.