Trojan targets companies' top brass

C-level employees of publicly listed companies are being targeted by cyber criminals using malware-infected RTF (Rich Text File) documents disguised as recruitment letters.

Security vendor MesssageLabs reported that 1,100 emails containing malware-infected RTF attachments have been recorded over a 16-hour period this month. Four separate waves appeared between 13 and 14 September, the company said.

A MessageLabs spokesman said: "All [the emails] were going after C-level management. The emails included the company name in subject field, purporting to be a recruitment company. What it had in the attachment is an executable RTF file."

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

Similar emails were noticed in June this year, he said.

The email, which contained no body text, included a dot-SCR screen saver dummy file within an executable RTF file, the spokeman said. When recipients attempt to open the file, a message is displayed stating: "Microsoft has encountered an error and had to close." The recipient is then advised: "To view this, double click on the message."

Once activated, the RTF file starts a chain of downloads which establish a secure connection between the attacker's server and the infected computer.

The C-level nature of the targets clearly indicates that the attackers are after information, said the spokesman, but the greater concern is the social engineering technique used to spread the Trojan-harbouring email.

He said: "The way that this works has the potential to be so effective. You are getting that top down approach - if they forward that email on internally, that email is coming from a trusted source."

The spokesman added that all the emails were addressed to a single person, which helps diminish their conspicuousness.

F-Secure security expert Patrik Runald recently postulated that the perfect attack would be a zero-day attack using a rootkit-cloaked Trojan sent to an HR manager who, due to company policy, would be compelled to open the document.

Runald said: "These are scary cases because it's really hard to protect yourself against. We have to run Office and we have to allow Word, RTF, PowerPoint and Excel files through. It shows that signature based antivirus is not enough; you need more technology than that."

Runald added there is little organisations can do to protect against these threat types besides educating users of the risks because banning the receipt of common file types is impractical.

Heuristic or behavioural-based monitoring is proving to be more effective at blocking these attacks since the behaviour of the file remains the same despite different signatures being used, he said.

Liam Tung writes for ZDNet Australia