The stealthy attacks install keystroke-logging or screen-scraping software, and they are used for industrial espionage and other financially motivated crimes, experts said.
Cybercrooks send messages to one or a few addresses at a targeted organization and attempt to trick their victim into opening the infected attachment--typically, a Microsoft Office file that exploits a yet-to-be-patched vulnerability to drop the malicious payload.
Security technology can stop common attacks, but targeted attacks fly under the radar. That's because traditional products, which scan e-mail at the network gateway or on the desktop, can't recognize the threat. Alarm bells will ring if a new attack targets thousands of people or more, but not if just a handful of e-mails laden with a new Trojan horse is sent.
"A typical targeted attack will consist of between one and 10 similar e-mails directed at between one and three organizations," Shipp said. "By far the most common form of attack is to send just one e-mail to one organization."
In the past two years, MessageLabs has seen such attacks hit multinational companies, governments and military bodies. Other recurring targets include law firms, human rights organizations, news organizations and educational establishments, Shipp said.
Most attacks include Office files that use yet-to-be-patched vulnerabilities in the Microsoft application to install malicious code on vulnerable systems. The software giant has patched many such flaws on recent Patch Tuesdays.
Office files are also popular with attackers because organizations typically allow people to receive those files in e-mail, while executables or other files seen as more likely to be malicious are often blocked, Shipp said. "By and large, the best way of getting into an organization is to use something that the company lets in," he said.
The future of malware
The use of zero-day flaws circumvents traditional signature-based security products. These products rely on attack signatures (the "fingerprint" of the threat) to block the attack, which requires the attack to have been identified at least once before.
"This is the future of malware attacks," said Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. "People affected by this won't be protected by antivirus software because there is no signature."
A signature is created when antivirus companies get a report from an infected company, when they see samples in their own honeypots, or get samples from other antivirus companies. "This doesn't happen with targeted attacks, as only an extremely small number of people get infected," Marx said.
http://news.com.com/The+future+of+malware+Trojan+horses/2100-7349_3-6125453.html?tag=nefd.topMicrosoft patched one vulnerability in Office this Tuesday, but another exploit emerged on "Viral Wednesday" (actually Thursday- a bit of poetic licence):
http://forum.avast.com/index.php?topic=24133.0
