Targeted Malware Attacks

Malware attacks are getting smarter by targeting user populations of higher value. Where previous generations of attacks consisted of viruses, worms, general phishing and rootkits, new attacks are becoming more difficult to detect. Such attacks no longer push malware onto the Internet and wait for random, vulnerable, or compromised systems.

What are targeted attacks?

Targeted attacks against specific organizations or individuals in those organizations leverage some of the elements associated with social networking. These attacks often come as a legitimate email or some other electronic object. Email filtering tools often allow such messages to pass, since they don’t violate filtering rules.

An example of a simple targeted attack involves a PDF file that appears to be a research report. Opening this PDF causes malware to install, facilitating the collection of information from the user’s machine. It’s important to focus on the approach of this attack. Not unlike Trojans, targeted attacks can seem very real and relevant to their victims.

Degree of Relevance

The efficacy of targeted attacks is largely based on their relevance to victims, who are most often involved in senior management, or other key operations. Attackers might spend months investigating companies, in order to determine:

  • Individuals in the target organization who would likely have access to the desired data
  • Major projects in process
  • Common business partners, vendors, etc.
  • Names and email addresses of individuals who regularly send mail to target users

It’s becoming much more common to see a greater level of research by attackers regarding their potential targets. While this may require a higher level of human interaction, there are some methods to automate certain steps in to process of data gathering.

With this information, attackers are able to create relevant emails with spoofed source addresses. This will make the messages appear to come from a business or individual with whom the attack victims already regularly communicate.

The attacker’s objective is to be able to collect as much information as possible from the target victim. This means the malware needs to be hidden (e.g. in a rootkit) and the transfer of information must be disguised as normal network traffic. Since each attack is unique, it can be difficult for security teams to identify targeted attacks simply by using anti-malware or IPS/IDS solutions.

Who is being targeted?

It’s unlikely that most internet users will become victims of targeted attacks. Most targeted attacks aim for senior management, including C-level executives and department heads. What makes things worse is that the computers used by these individuals are often the least protected.

It’s common in many organizations to have a double standard when it comes to security control implementation. Many executives believe that they are able to avoid malware attacks, or they would prefer not to have to deal with the same restrictions imposed on the rest of the workforce.

Other potential targets include employees who process sensitive information. Such individuals have the level of access on their local workstations necessary for deploying data-collecting malware.

Another notable group being targeted are human rights organizations. For instance, on March 18, 2010, attackers sent a number of organizations and individuals a targeted malware attack that appeared to be from Sharon Horn, the Executive Director of Human Rights in China (HRIC). Attackers used the recognition of HRIC to lead victims to a compromised website containing malicious code that allowed the attackers to eventually take full control of the visitor’s computer. Civil society organizations are facing the growing threat of targeted malware attacks.

Where are the attacks coming from?

According to Symantec’s March 2010 MessageLabs Intelligence Report, analysis on the origins of targeted attacks originate:

  • China (28.2%)
  • Romania (21.1%)
  • United States (13.8%)

According to MessageLabs Intelligence Senior Analyst Paul Wood:

“When considering the true location of the sender rather than the location of the email server, fewer attacks are actually sent from North America than it would at first seem. A large proportion of targeted attacks are sent from legitimate webmail accounts which are located in the US and therefore, the IP address of the sending mail server is not a useful indicator of the true origin of the attack. Analysis of the sender’s IP address, rather than the IP address of the email server reveals the true source of these targeted attacks.”


This article discusses targeted malware attacks, which are becoming more and more common, targeting anyone from executives, to civil society organizations to medium-sized businesses that lack significant intellectual property. Targeted malware attacks require a more granular approach to security controls. The article examines the double standard that is present in enterprise security control implementation.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

  • Privacy Concerns: Organizational Practices (II.A.b.)
  • Social Networking Services (VI.C.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>