Targeted Destination Attacks
OverviewConventional e-mail protection strategies depend on antivirus SMTP gateways to scan and remove messages with unsafe content. Virus writers, however, are now using an emerging tactic that bypasses these antivirus gateways. Using harvested IP addresses, criminals can send messages directly to recipients without an expected MX record lookup and any subsequent screening. Unlike the random mass-mailing propagation methods used by viruses in the past, this targeted destination attack aims for specific sites and users. Such attacks defeat hosted protection services and internal gateways to deliver e-mail with malicious payloads. An additional threat resulting from targeted destination attacks lies in that harvested addresses can also include servers with open IP addresses (such as a test system). By targeting a specific server to receive incoming traffic, the perpetrator could bypass external or internal gateways and forward messages through the open system for delivery. Analysis History
The potential for this type of threat has been understood for some time. Early indications of an actual attack surfaced in June 2005, when one organization using a hosted gateway service noted a surge in the Mytob virus on e-mails reaching end users. The e-mails escaped detection by using explicit IP addresses to avoid the hosted service. Since June 2005, other organizations have reported an increasing number of targeted destination attacks. In a system with a traditional antivirus strategy, all SMTP traffic passes through DNS and is directed to an internal antivirus system/hosted service to remove malicious content. During a targeted destination attack, malicious e-mail bypasses hosted antivirus protection because it uses a harvested explicit destination IP address. By not performing a MX record lookup, it proceeds unchecked to the network firewall. Protecting and PreventingWho is at risk?
Because all e-mail depends on a destination IP address, virtually every e-mail user is at risk from a targeted destination attack. Due to its explicit, organization-specific approach, a targeted destination attack poses a serious risk as an emerging threat. Finally, since this is a highly specific (and limited) approach, detection signatures for these custom viruses are unlikely — if ever — to appear in commercial antivirus software. Detection
No simple method exists to determine if a targeted destination attack bypasses the hosted service, an internal gateway, or uses an open IP address to attack a test server. To detect targeted destination attacks, IT administrators should observe incoming traffic at the firewall to determine its origin and destination. Solution
IT administrators should configure the firewall to accept incoming SMTP traffic only from a hosted service address. In the case where an organization requires access for its trusted partners, they should add only IP addresses that are trusted. For organizations with internal antivirus gateways, the firewall should forward all Port 25 traffic only to that gateway.
|
