Business continuity and disaster recoveryCyber attacks grow in sophistication, menace; most originate in China

Published 4 June 2008

More and more cyber attacks on organization aim to allow criminals to take control over enterprise assets; most attacks on companies and organizations around the world originate in China

Damballa, Inc. has announced findings from their second quarter analysis. As a key tool for organized crime, targeted threats continue to grow in sophistication with an elevated focus on the enterprise network. In the second quarter of 2008, Damballa’s research team analyzed a body of targeted threats and discovered the following results:

  • 40 percent of the overall targeted threats analyzed give control of enterprise assets to criminals. This is derived from the fact that 50 percent of targeted threats analyzed use HTTP for communications, which allows for easier criminal control. Of those, almost 80 percent will steal proxy settings to facilitate successful outbound communication.
  • More than 75 percent of targeted attack Command and Control (CnC) sites are located in Asia, with China being the most dominant location.
  • Almost half of the targeted threats analyzed were propagated using PDF files, with Word documents and PowerPoint presentations coming in second and third, respectively.

A recent analysis of antivirus solutions performed using VirusTotal shows that detections of newly discovered targeted attacks average less than 20 percent. These results follow similar and disturbing trends, which include armies rapidly adapting for self preservation. In January 2007, for example, a large portion of Bobax cannibalized itself to bootstrap Storm. More recently, just a few weeks after being widely discussed in the press, Kraken changed from using a custom protocol with encrypted content to one that uses plaintext HTTP. You may want to pay special attention to these two findings:

  • Targeted threats no longer encompass malware executables with obvious extensions (for example,, exe, .scr, .pif). Instead, documents such as PDFs are used to execute arbitrary and malicious code. These attacks are successful because most users believe that documents such as PDFs are harmless. Yet, simply viewing a PDF with a slightly out-of-date reader can place a computer under the control of a malicious third party. In addition, when an attack is successful, the user is unlikely to know a compromise occurred.
  • The social engineering aspects of targeted attacks have also grown in sophistication. Instead of standard enticements normally found in spam, these attacks use subject lines which would be of importance to enterprise users. These include financial topics such as IRS complaints or notices, political topics that play off current events such as the Olympics in China, freeing Tibet, and human rights issues, and personal topics such as speaker invitations and scholarship
    offers.