Sending off emails laden with malicious attachments is one of the most effective and widely relied upon methods for disseminating malware and infecting user-machines.
It’s tried and it’s true. Whether an attacker is trying to indiscriminately add machines to a botnet, access corporate networks via spear-phishing, or hijack your online banking account with a Trojan, malicious documents have been a weapon of choose among attackers for years. Computer and Internet users are more aware now than ever about the dangers of opening shady – or even innocuous seeming – email attachments, whether they are Word documents, PDF files, pictures, or any other type of documents. Furthermore, the anti-malware industry, email-service providers, and Web-browser makers are all developing and deploying new technologies designed to curb infection-by-attachment. All of this comes in addition to an environment in which software vendors are handling vulnerability patch management more effectively and efficiently than ever.
Despite this, countless machines become infected with malware from opening malicious documents every day. How is it that the best efforts from the smartest people in the tech industry aren’t enough to successfully combat collections of largely unorganized attackers?
Broadly, the reason for this is simple, attackers, many of whom work alone or in small groups with custom designed tools, can move quickly. Browser-makers, email providers, tech giants react to new threats as quickly as they can, but – like all somewhat large organizations – are hindered by corporate bureaucracy and other inertias.
We can’t simply blame business here though either. Most users refuse to install updates and many users open attachments they shouldn’t.
To their credit, the attackers aren’t dumb. They watch the way companies react to their attack-methods and adapt accordingly. They gather intel on the people they aim to target by monitoring their social networking and other visible activities in order that emails and the malicious attachments they contain are more convincing and likely to be fallen for.
In my arrogance, I used to believe that an attacker would have to wake up pretty early in the morning in order to catch me phishing. Kaspersky Lab principle security expert, Kurt Baumgartner, set me straight, explaining that any of us – no matter how smart – would open an attachment seeming to come from a person we trust. This reality necessitates automatic defenses, based on measurable behavior rather than human intuition.
For example, Microsoft’s most recent set of patch Tuesday security updates fixed an Internet Explorer vulnerability but failed to fix a second Microsoft Office zero-day (newly discovered vulnerability). Because of this, attackers that understand the vulnerability can exploit it to send malicious documents to affected users (read: nearly anyone with Microsoft Office). Of course, if the attacker is using a piece of malware that is recognized by your antivirus product’s detection engine, then you are protected. Attackers though have found pretty simple ways to alter the code or the domains of their malware in order to evade this detection.
I don’t want to praise the attackers too highly here. In the end, the good guys are generally the smarter guys, albeit they move a bit more slowly. The good guys get paid well, they get benefits, and they generally don’t have to worry about going to jail. They watch the bad guys and learn from their methods just like the bad guys watch the good guys.
Such is the case with our developers at Kaspersky Lab. The researchers here have watched the ways in which attackers have evolved over the years. Anti-malware products used to simply search for malware signatures, but it has become clear over the last few years that signature detection is not enough. Thus they have developed technologies like automatic exploit prevention (AEP), which scans user-systems for vulnerabilities and known malicious behaviors. When AEP sees an applications running strange code or seeming to exploit a flaw in some piece of vulnerable software, the technology moves to block the actions before any harm. In this way, users are protected from nearly any threat, including aforementioned zero-days.