“It was Just a Virus” – Full Data Breaches through Malicious Attachments
If a malware file is allowed to execute, and it collects all of the personal files off of a system and sends them to a remote hacker, was your company hacked or did you “just have a virus?”
I love all parts of security and I’ve been trying my hand at some basic malware analysis. I’ve only analyzed a few so far, but the results have been pretty eye opening. A couple of files inspected were new data miners, part of a phishing or social engineering attack.
Basically a corporate user would receive a crafted e-mail saying that they have receive a fax from their internal fax server. Sure enough the attached file would have a pdf looking attachment. But once the “attachment” is executed, the user gets a whole lot more than a fax.
The “.pdf” file is actually an executable malware file using a PDF logo as an icon. The file executes a data mining attack that searches the hard drive for personal data, browser caches, system files, registry settings, installed applications – including FTP and security programs, remote access programs, file manager programs, web site authoring software, and even clients for remote online storage.
Once it gathers this information, it tries to connect to a foreign server to upload the purloined data.
So should these attacks be considered as “just a virus”, or should this be considered a full data breach?
All the elements of “being hacked” are present. Private data files, including password files and databases could have been obtained. And then the information is sent out of the network to a remote hacker’s server set up to receive the info. Malware is already running on the system, so how hard would it be to use the system as a persistent backdoor into the corporation?
And lastly, these evil infiltrators are coded to bypass anti-virus and firewalls – only 2 AV companies detected one of the malicious executables I examined as containing a Trojan. And since the program connects back out to the malware server from your system after executing, your firewall does not block it.
Sure most companies consider that they were hacked when their server has been compromised, but what if a top engineer who kept classified research information on his system or an IT administrator of a secure facility allowed the phishing e-mail to run?
And how would these people even know that private data was sent out from their network if no network security monitoring was in effect? Would they just write off the attack saying, “It was just a virus…”?
Long gone are the misspelled fake looking social engineering attacks. E-mail attacks are getting much better, they look professional and are believable. Especially when your company uses some of the same software that the e-mail is pretending to be (like an incoming fax message).
Employees need to be warned about malicious e-mails and that they try to replicate legitimate communication. That if something looks or feels suspicious, that they should not run it and contact your support department.
Sure this will probably mean more calls to the data center, but if you can catch these things BEFORE they execute, you can take steps to protect your network. Especially if you find out what servers they are trying to connect out to as you can block the address so others who aren’t as vigilant will be protected too.