Targetted Attacks Heat it up!

For the past few months our honeypots haven’t been getting a lot of malwares unlike before where we’d get worms or trojans at a dime a dozen. Now we have the occassional 1 or 2-day spikes where we get say one malware varaint but spammed by the boatload!


For example, starting early last night, we’ve gotten well over 8500 samples (and still counting of course..) of a backdoor haxdoor variant (BKDR_HAXDOOR.KW). And just a little over an hour ago we starting receiving a TROJ_YABE variant (TROJ_YABE.AG) at the same alarming rate (now over 1000 samples in just a couple of hours). You’d think these guys are either in cahoots or there’s some sort of virus war going on (Hehe..). The samples arrive most likely via email, the first containing the file “die_rechnung.exe” as an attachment and the other contains the file “Telekom.pdf.exe”.


Now I’m assuming that at some point over the past few months, we’ve all heard of the term of “Targetted Attacks” but up until now the exact definition (if ever there is one) remains unclear. Even I can’t come up with my own definition of what constitutes a targetted attack. For example the two cases we received last night, can they be classifed as targetted attacks?


Despite the fact that the concept of targetted attacks remain relative to the individual, one thing is quite obvious, there have been increased reports of such activities. The downside I see in these kind of attacks is that they’re harder to spot, and as a result harder to defend against. The more widespread a particular malware is the easier it is for AV vendors to pick it up and create patterns for it. However, if the virus just attacks say one particular corporation it’ll be harder to get samples of it especially if the targetted company doesn’t even realize that its already been compromised.