Attackers Step Away From Mainstream, Target Lesser-Known Apps

Microsoft has Patch Tuesday. Oracle and Adobe are on regular patch cycles, often issuing 10 or more patches at once. But many smaller vendors haven't yet developed such rigorous patching processes -- and that might make them prime targets for new exploits, experts say.

After years of attacking popular Microsoft file formats, such as Word and Excel, attackers moved on to Adobe's PDF and Flash formats. Today, more attacks are focusing on Oracle's Java. As they became subject to more frequent attacks, software vendors strengthened their platforms to make them more difficult to assault.

But for the most part, smaller software vendors have not had to weather the scrutiny of cybercriminals and security researchers. And because of this lack of scrutiny, attackers are beginning to develop more targeted and sophisticated attacks that take advantage of flaws in less popular software that has not had as much rigorous security testing.

"At some point, [attackers] are going to exhaust all the different file formats that they can exploit," says Mike Dausin, manager of advanced security intelligence for HP TippingPoint's DVLabs. "It was only .exes at first, and then it was screen savers, and on and on down the list. ... As the holes get plugged, [attackers] will likely move on to the more exotic formats."

The tactic is not unheard of among malware. In 2009, antivirus firms found that the Induc virus used Delphi files to build itself into programs and infect other systems. Around the same time, another piece of malware, Utax, used Virtual LISP to infect AutoCAD files. And, of course, one way that Stuxnet spreads is through the industrial control file format Step 7.

Focusing on the less scrutinized software means vulnerabilities will be easier to find, says Wolfgang Kandek, CTO for vulnerability management firm Qualys. For example, in April Microsoft patched a buffer overflow in the Windows Fax Cover Page Editor that could have allowed malicious code to run, Kandek says.

"It's very simple to find vulnerabilities in software products that are not as popular," Kandek observes. "As the software become less common, it becomes easier to find flaws."

However, targeting such applications requires good reconnaissance on the part of the attacker, says Daniel Guido, a security consultant with services firm iSec Partners. Attackers who know little about their targets will focus on software applications that are run everywhere. For that reason, Oracle's Java will continue to be a popular target of attack toolkits, he says.

"They want the most bang for their buck," Guido says. "And it may be true that a certain software package has a million vulnerabilities, but if the target is not using it, it doesn't make sense for them to focus on that software."

At the SOURCE Boston conference in April, Guido presented research that more sophisticated, targeted attacks can be analyzed to inform defenders' countermeasure against more run-of-the-mill attacks because mass attackers tend to borrow exploits from the more advanced threats.

"Those guys are not investing in resources to develop their own exploits," he says. "The trend in malware will exactly mimic the trend in APT [advanced persistent threats], so if you pay attention to one, by the very definition, you are paying attention to the other."

While defenders should focus on foiling attacks on Java and bad memory management, they also need to watch out for attacks on their less popular programs, says TippingPoint's Dausin.

"Keeping track of patch management of every application installed on your network is really what needs to happen," Dausin says. "But, of course, it is hard to get there."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.