Public Safety Canada
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links | Liens de navigation communs

Skip Navigation Links Home > Programs > Response > CCIRC > Analytical releases 2008 > IN05-001: Targeted Trojan E-mail Attacks

Institutional links

Targeted Trojan E-mail Attacks

IN05-001
Date: 16 June 2005

Purpose

The Canadian Cyber Incident Response Centre (CCIRC) has received reports of a new e-mail-based technique for spreading Trojan horse programs. Because of the nature of this technique, standard defensive measures such as anti-virus software and firewalls are not completely effective. As a result, the risk of critical infrastructure networks being compromised by attacks employing this technique is significant. This Information Note is being issued to bring attention to this technique and to provide general mitigation advice.

Audience

This paper is primarily intended for owners and operators of Canadian critical infrastructure, including all levels of government, who should be aware of any potential threats to the security of their mission-critical information.

Background

A Trojan horse is a malicious program that attempts to trick users into opening and/or installing it by presenting itself as legitimate. These programs can have a range of capabilities, but generally seek to gather information about infected computers, collect data, and allow the author of the program remote access to the infected computer. Some Trojans may allow a remote attacker to download additional malicious code onto infected computers, or permit infected computers to be used in Denial of Service attacks. These programs are frequently spread by indiscriminate means: they may be left behind by worms, attached to mass e-mails or spread by malicious Web sites.

Recently, media reports and incident reporting to CCIRC have highlighted a trend towards attackers using more targeted means of distributing Trojans. Incidents reported in Canada have involved small numbers of Trojan horse programs being spread via e-mails containing either trojanized attachments or links to Web sites hosting trojanized files. These e-mails are typically sent to specific individuals, rather than the large, random distributions associated with phishing attacks or other Trojan activity. In addition, the e-mails use sophisticated social engineering to appear credible and entice users into opening the attachment or following the link:

  • The "From" address of the e-mail is spoofed, making it appear to come from a colleague or reliable third party organization;
  • The subject line and text of the e-mails appear relevant to the recipient's work, or may be copied from a previous legitimate e-mail; and
  • The attachment name and type appear relevant to the text and to the recipient's work.

Once the attachment is opened or the link followed, a Trojan is installed on the user's computer. Based on the capabilities of Trojans used to date, the primary purpose of these incidents was the gathering of commercial, financial, or economic information. Similar cases reported in the media have been described as economic or industrial espionage.[1]

top of page

Assessment

There are two elements that make this attack technique noteworthy.

First, the Trojans used in incidents reported to CCIRC sometimes circumvent anti-virus software and firewalls, two of the primary defensive mechanisms for critical infrastructure networks. The Trojans reported to date have been either mali cious code detectable by some anti-virus products, previously unseen malicious code or modifications of existing open-source Trojans. In all three scenarios, the latest version of any anti-virus software did not always detect the malicious code. Anti-virus companies must intercept a copy of a malicious program in order to update their software's signatures so as to detect it; the targeted distribution of the malicious code in this attack technique makes this highly unlikely. In addition, Trojans can be configured to transmit information to a remote attacker using ports assigned to common services (such as TCP port 80, which is assigned to Web traffic) and thereby defeat most firewalls. Consequently, network security personnel will need to take additional measures to protect against this type of attack.

Second, the highly sophisticated social engineering employed in the incidents reported greatly increases the likelihood of users opening malicious attachments and inadvertently infecting their computers. While social engineering techniques in general have shown marked improvement in the last two years (particularly vis-à-vis phishing attacks), the targeted distribution of these Trojans allows e-mails to be highly tailored towards the intended recipients.

Information available to CCIRC suggests that attacks of this kind have been detected in other countries. CCIRC has also received a very small number of reports of attacks of this type in Canada . Although CCIRC has no information to suggest a threat to Canadian critical infrastructure overall, the vulnerability of critical infrastructure networks to such an attack is significant.

top of page

Suggested action

Because of the targeted distribution of Trojans spread in this way, and because of the possibility of communication with remote attackers using ports assigned to common services, detection of this type of attack is problematic. In addition, there is no completely effective mitigation against this type of attack for any computer system connected to the Internet.

In general, network security staff should keep anti-virus software as up-to-date as possible so as to detect older Trojans that may be used in an attack of this kind. Because vulnerabilities in various Microsoft applications have been used to install Trojans in the past, all current patches should be applied. As well, anomalous slow-running machines should be investigated for unknown processes or unexpected Internet connections, and user reports of such behaviour should be encouraged. Finally, users should be educated not to visit suspicious Web sites or open unsolicited attachments from any source without confirming the legitimacy of the e-mail or link.

Other detection and/or mitigative actions for these types of attacks are as follows:

  • Examine firewall logs of critical systems, or networks used for processing sensitive information, for connections to or from anomalous IP addresses;
  • Consider traffic analysis to identify any compromised computers that are transmitting data to remote attackers. In particular, data on the size and times of HTTP or TCP port 80 connections may help detect this activity. Connections where the data volume sent is abnormal, connections taking place outside of normal business hours, or connections of short duration that appear on periodic basis should be examined closely;
  • If your IT architecture allows e-mail to be accessed from the Internet, review e-mail server access logs for connections from unusual IP addresses. Some Trojans used in incidents reported to CCIRC have gathered e-mail usernames and passwords, which may be subsequently used by attackers.

Incidents of attacks using this technique, like all cyber security incidents affecting Canadian critical infrastructure, should be reported to the Canadian Cyber Incident Response Centre (CCIRC) via the Government Operations Centre at 613-991-7000 or goc-cog@ps-sp.gc.ca, to the attention of the Cyber Duty Officer.

Footnotes

  • [1] In an Israel i case, a Trojan known as HotWord was spread to several companies by a competitor. The method of propagation was reportedly a Trojanized promotional CD-ROM; however, the characteristics of this method of spreading Trojans are substantively similar to the targeted e-mails described in this Information Note. See www.msnbc.msn.com

top of page

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca

Date Modified: 2008-12-11
Top of Page
Top of Page
Important Notices