Rik Turner, Computer Business Review

Email and web-filtering service provider MessageLabs has seen a sharp rise in recent months of security exploits targeting specific C-level executives within companies in order to steal sensitive information.

This is one of the headlines from the annual Security Report from the UK-based company, which filters traffic on 2.5 billion email connections and 1 million web page requests every day.

"This is definitely the most serious conclusion from this report," said Mark Sunner, chief security analyst at MessageLabs. "These targeted attacks began in 2005, when we started seeing two a week, which increased to one every day in 2006. This year we've seen a real escalation, with 514 attacks intercepted in two hours on June 26, 1,100 in 16 hours on September 12, and 934 on November 19."

He said all the attacks were targeting a specific individual by name and by job title, with Trojans included in Word or RTF attachments. "It was all C-level execs, who are obviously the custodians of a company's secrets," he said.

Sunner said MessageLabs sought to verify the accuracy of the targeting and found that it was high, with the few cases where it was wrong being a CxO's secretary or PA that had been targeted instead. "This led us to suspect that the bad guys are using LinkedIn and getting it wrong on the occasions when the CEO himself doesn't use a computer but his PA does," he said.

He said the growth in such exploits is partly explained by the increasing ease of acquiring Trojan technology. "There is what we call a shadow economy growing up, where for $200 you can pick up a Trojan that's guaranteed to go under the nose of desktop AV, and in some cases the vendors will even provide a service contract for updates."

2007 has also been characterized by what Sunner called "the coming of age of botnets." He said that though they started life in 2003 with the Sobig worm, "this year we've seen the next evolution, with the SpamThru Trojan in the first half of the year and then the Storm worm later."

SpamThru was an innovative exploit on two accounts. First, because it used peer-to-peer technology, with each node having a template of the spam to be sent and a mailing list, enabling it to pump spam without necessarily being connected to the botnet herder. It also made detection of the herder much more different, as they could effectively hop from one peer to another in the network to restart attacks.

Second, the Trojan came with its own AV, which Sunner said was a hacked version of Kaspersky, so that it could remove other worms and Trojans from the affected machine, an important consideration when botnets are being rented out with guaranteed quality of service in terms of available bandwidth.

He said the nature of spam has also undergone changes this year. "Pumping is intermittent, with each spike being an independent run, so you'll get a few minutes of a stock pumping exploit, then nothing, then a few minutes of Viagra ads, then nothing again, and so on," said Sunner.

Our View
That MessageLabs should report an increase in attacks targeting individual C-level execs underscores the general trend toward a professionalization of Trojan writing, with the profit motive replacing notoriety as the ultimate goal. It also goes some of the way to explaining why data leak prevention technology has been such a hot topic over the last year and a half, with multiple start-ups being acquired by larger players who identify it as a growing requirement.

Of course, DLP technology is also designed to stop disgruntled employees, malcontents, and industrial spies from sending intellectual property or sensitive data outside a corporate network intentionally, and for that there is clearly also a requirement. In this context, however, DLP is after the fact, in that it will try to stop something being exported from a network after a Trojan has been planted on a CxO's machine, whereas filtering services like MessageLabs aim to catch the Trojan on the way in.