Study of emerging trends of cyber attacks in Indian cyber space & their countermeasures

As a result, targeted attacks have become a priority threat. In this paper we examine the different stages that are involved in a targeted attack from the reconnaissance phase through to the data exfiltration phase and will explore trends in the tools, tactics and procedures used in such attacks and will conclude with a high-level examination of mitigation strategies.

Countermeasures

Alok Pandey1, Dr Jatinderkumar R Saini2

1

Senior Systems Manager, BIT(Mesra), Jaipur Campus,alokpandey1965@yahoo.co.in

2

Director (I/C) & Associate Professor, Narmada College of Computer Application,

Bharuch, Gujarat, India, saini_expert@yahoo.com

Abstract

Targeted attack refers to intrusions by attackers who

pursue aggressively and compromise specific targets

often using social engineering and malware Such

attacks maintain a constant presence within the

victim’s network and move throughout the target’s

network and extract sensitive information Such types

of attacks are mainly aimed at civil society

organizations, business enterprises, government and

military networks As a result, targeted attacks have

become a priority threat In this paper we examine the

different stages that are involved in a targeted attack

from the reconnaissance phase through to the data

ex-filtration phase and will explore trends in the tools,

tactics and procedures used in such attacks and will

conclude with a high-level examination of mitigation

strategies

Keywords:

Cyber Crimes, Targeted Attacks, Adware, Malware

1 Introduction

Cyber criminals in India are using different tactics

They are using targeted attack methods like Web Site

Defacement and old and effective exploits, bot-nets and

remote administration to exploit the victim computers

It has been observed that the Indian community falls

prey easily to fake movie download related links and

sites One of the latest reports says that India stands at

Rank no 3 within the first ten countries where people

click movie related links which eventually lead them to

the threats Such links may be there in blogs, social

networking sites etc One of such latest bug is related to

the unfortunate incident at the Delhi Zoo which asks

the user to follow certain links to see the unedited

version on the incident which is not being shown on

TV and other related media

One of the reports [1] recently published shows that on

an average of nearly 2.5 Million Malwares are detected

in on a monthly basis in India

Fig1.Top 10 Malware Detections in India

Another problem that the user are facing is pertaining

to Adware Latest trends show that an average Indian user is exposed to several Adwares

Fig.2 Top 10 Adwares Detected in India

The report [1] also showed that India stands at No 3 in the list of countries affected with online banking infections

Fig.3 Online Banking Infections

The report [1] also shows that huge numbers of

malicious apps are downloaded

Fig4.Malicious app downloads in India

In its annual report for the year 2013, CERT-In shows

that they handled more than 71000 incidents like Spam,

Website intrusion & malware propagation, Malicious

Code, Phishing and Network Scanning & Probing etc

The summary for some previous years as published by

CERT- In [2] is given in table 1

Table1 Incidents handled by Cert-IN

Some security threats handled by CERT-IN are:-

1.1 Website Intrusion And Malware Propagations

Several incidences of website intrusions and drive-by-download attacks through compromised websites have been reported Somewhere close to 4250 malicious URLs were tracked in the ―.in‖ space Several legitimate web sites were compromised for redirection

of visitors to malicious websites which exploit vulnerabilities of client side applications and deliver malware like key loggers and information stealers The malicious websites use attack tool kits like Blackhole, RedKit, Nuclear, Darkleech etc.and include shellcode and Javascripts for exploiting vulnerabilities in Internet Explorer, Java SE/SDK, Adobe Flash, Silverlight etc

1.2 Trojan Cryptolocker

Another type of infection that is spreading via malicious hyperlinks shared via spam emails, social media, malicious email attachments (fake FedEx and UPS tracking notices), drive-by download or as a part

of dropped file from other malwares is Trojan Cryptolocker A Cryptolocker may encrypt files typically located on the victim‘s storage devices like local drives external hard disks, network file shares or network drives or USB drives or cloud storage drives using RSA public-key cryptography, with its private key stored on the malware's control servers

1.3 Zero Access Botnet

One of the widespread multi-component of the malware family of rootkits is Win32/Sirefef a.k.a "Zero Access"

which is affects the windows operating systems It

spreads mainly by pirated softwares, exploit kits and

other malware downloaders It uses the process of

disk-level hooking for hiding itself, related files and network

activitesand hence its detection and removal is difficult

1.4 DDoS attack Trends

It has been observed that vulnerabilities in Content

Management Systems like Joomla, Wordpress, etc are

being used to exploit websites in the Government and

Corporate sectors by launching Distributed Denial of

Service attacks during 2013 Different types of attack

scripts are hosted and used to launch Distributed Denial

of Services attacks using resources of web servers of

the compromised websites

1.5Tracking of Indian Website Defacements

Around 24000 cases of defacements of Indian websites

in the various domains have been tracked by CERT-IN

and suitable measures to harden the web servers have

been suggested to concerned organizations.[2] Their

distribution is shown in the Fig 5

Fig.5 Indian top level domains defaced

1.6 Tracking of Open Proxy Servers

CERT-In has tracked more than 2000 open proxy

servers existing in India and alerted concerned system

administrators to properly configure them so as to

reduce spamming and other related malicious activities

originating from India Fig 6 shows the month-wise

distribution of open proxy servers tracked during 2013

[2]

Fig6 Open Proxies

1.7 Botnet Tracking and Mitigation

There has been a constant increase in the tracking of Bots and Botnets involving Indian systems by

CERT-In After tracking and proper identification of the IP addresses of systems that are part of Botnet, the concerned users and the related Internet Service Providers have been notified and advised proper cleanup of the concerned systems in order to prevent malicious activities using them.[2] Fig 7 shows the graph of increasing numbers of such Bot infected systems tracked in 2013

Fig.7 Botnet Statistics

All of the above show that there is a phenomenon growth in the cyber-crimes and related malicious activities in and around the Indian cyber space and establishes the fact that the cyber criminals are working

in a more organized way and follow business models for generating revenues and profits out of these cybercrimes

Cyber criminals treat cybercrimes as a legitimate business of selling information, tolls and resources not only for profit from data but they also gain by helping the other cyber criminals They often work in groups

and follow the organized crime business model Each

member of the group is assigned a specific role in the

entire process because of which it becomes harder to

track them and recover the stolen data / resources They

even outsource and hire computer owners to join their

botnets

In order to generate more and more cyber criminals

they even train others who are interested in learning the

established techniques and practices and launch more

sophisticated attacks Regional underground

specialization services like traffic diversion systems

pay per install, attack services, Distributed Denial of

Services and Compromised Hosts / Bot-nets have been

observed One of the increasingly used attacking

techniques by the cyber criminals for attacking large

business houses, financial institutions and some

government related organizations is called targeted

attacks It is a well-established technique which is now

being used with newer variations

2 Targeted Attacks

Targeted attacks are the attacks that exploit some kind

of vulnerabilities in popular software for compromising

specific target systems & are becoming increasingly

common Such attacks are neither automated nor are

they conducted by amateurs These types of attacks

may be well coordinated and include a series of failed

and success compromises or a broader campaign, with

the prime aim of obtaining sensitive data

One such attack which was highly publicized in late

2009 was ―Aurora‖ attack on Google and affected

several other companies Prior to this there was hardly

any public awareness regarding targeted malware

attacks [3] Such attacks are still taking place and are

targeted towards government, military, corporate,

educational, and civil society networks Countries like

U.S., Canadian, South Korean and France have all

experienced serious security breaches into sensitive

networks [4] [5]

We have seen in the recent past that RSA was also

compromised using the targeted Malware attack [6]

As a result of this the data stolen during the attack

might have helped in conducting the subsequent attacks

against several other companies and Laboratory.[7]

Such targeted attacks using social engineering have been ongoing since at least 2002.[8] [9]

The first of such campaigns which was covered by the press occurred in March 2004 and is known as Titan Rain.[10] In 2005 these attacks were revealed by TIME magazine which highlighted the beginning of ―cyber-espionage‖ and highlighted the threat it posed to government and military networks The New York Times revealed similar cases which happened in 2007

in the Unites States where the systems were compromised using targeted phishing emails.[11] In

2008, Business Week documented such threats to defense contractors and other large, private enterprises.[12] The report revealed that the social engineering techniques were used to lure potential victims into executing malware which allowed the attackers to take full control of the computers

In the meantime the connection between targeted malware attacks using social engineering and malicious documents.[12][13][14] was demonstrated by some researchers During the security based conferences it was shown that attackers were using exploits in popular software packages to send malicious documents (such

as PDFs, DOCs, XLSs and PPTs) using, socially engineered emails to a variety of targets In 2009, the New York Times revealed the existence of GhostNet, a cyber-espionage network that had compromised over

2000 computers in 103 countries.[15] The attackers used socially engineered emails to persuade the victims

to click on a malware-laden attachment which in turn permitted the attackers to gain control over the compromised system Subsequently the attackers would instruct the compromised computers to download a Trojan, called gh0st or gh0stRAT, using which the attacker could take real-time control over the compromised computer system

The network was named GhostNet as the attackers‘ used a Remote Access Trojan called gh0stRAT and were able to maintain persistent control over that compromised computers for upto 660 days A year later, the New York Times again reported on the

existence of another cyber-espionage network.[16] that

misused a variety of services including Twitter, Google

Groups, Blogspot, Baidu Blogs, blog.com etc Around

200 computers were compromised mostly in India

which contained Secret, Confidential and Restricted

documents

In 2010 Stuxnet revealed that targeted malware attacks

could be used to interfere with industrial control

systems.[17] Stuxnet was actually designed to modify

some programmable logic controllers (PLCs).[18] The

target of the attack was the Iran‘s uranium enrichment

capability.[19] Stuxnet demonstrated that future threats

could focus on sabotage rather than just espionage

Most Internet users are likely to face common threats

such as fake security software (FAKEAV) and banking

Trojans (Zeus, SpyEye, Bancos).[20][21][22] There

are hardly any boundaries left between online crime

and espionage Such developments indicate that attacks

of criminal in nature, like targeting of banking

credentials of individuals etc may also pose a threat to

the government and military sectors as the ultimate aim

of attackers is to maximize their financial gain from

malware attacks

The Targeted attacks are geographically diverse and

most of the times aimed at civil society organizations,

business enterprises and government/military networks

In a targeted attack the victim receives a socially

engineered message – like an email or instant message

-that lures the victim to click on a link or open a file

These links or files contain malware that exploits the

known vulnerabilities in some popular software such as

Adobe Reader (e.g pdf‘s) or Microsoft Office (e.g

doc‘s) The payloads of these exploits are malware that

gets silently executed on the target‘s computer As a

result of which the attacker takes control of and obtain

data from the compromised computer

The study of different stages of an attack can provide

better understanding of the procedures followed by the

attackers.[23 [24][25].The targeted attack can be

broken down into six sub components:

Reconnaissance/Targeting — Involves profiling the victim for acquiring information like defensive mechanisms, other software deployed and understanding of roles and responsibilities of key persons using that system or network

Delivery Mechanism - pertains to selection of a delivery mechanism, like Email or IM, along with social engineering and embedding malicious codes and

or malware in some kind of a delivery vehicle such as a PDF etc

Compromise / Exploit - execution of malicious code with the help of humans which results in a compromise and gives the control of the victims system to the attackers

Command and Control - link from the compromised system to a server which is under the attacker‘s control This could be a server component of a Remote Access Trojan (RAT) or any server that using which the attacker could issue commands to further download additional malware on to the compromised system

Persistence / Lateral Movement – typical procedures and techniques using which the malware can survive a reboot of the victim machine and continue to provide remote access and provide ability to move laterally throughout the network enumerating file systems and seeking sensitive information

Data Ex-filtration – involves locating and transmitting sensitive data using encryption, compression to other locations which are under attacker‘s control

3 Trends in Targeted Attacks

The latest patterns in the different stages of the targeted attacks [26] are as mentioned below :-

3.1 Reconnaissance/Targeting

One of the most commonly used techniques is the use

of social engineering in targeted malware attacks The objective of social engineering is to manipulate individuals into revealing sensitive information or executing malicious code A variety of public sources

including business profiles and social networking sites

is often used in social engineering Social engineering

attacks typically involve current events, subject areas of

interest and business functions related to the victim

For gaining confidence of the victim the messages are

sent which seem to have originated from someone

known within the victims organization or social

network.[27] [28]

The following types of social engineering techniques

are seen:-

• In order to masquerade as a real person who

might be known to the victim, the attacker register

email addresses with popular webmail services such as

Gmail, Yahoo! Mail and Hotmail using the names of

the target‘s colleagues

• Attacks may be based upon spoofed legitimate

business or governmental email addresses which can be

easily detected.[29]

• The attacker‘s use the personal email

addresses as the employees often check their personal

email accounts from work and even use these accounts

for business purposes.[30]

• The attacker tries to misuse the authority

relationships, such as boss-employee so that the target

will open the malicious attachment

• To increase the authenticity, attackers also use

classification markings of the government and

intelligence services.[31]

• Attackers are now using techniques such as

forwarding legitimate emails, from mailing lists or

from emails acquired from previously successful

attacks, along with malicious links and attachments

• Attackers send two or more files as the victim

may scan the first one for detecting the infections If no

infections are found then the victim believes that all

others are also clean and he downloads or opens the

rest of the attached files which may contain the

malware

• Attackers may use the ―res://‖ protocol for

determining the software present, file-sharing

programs, web browsers, remote administration tools, email clients, download managers, and media players etc on the target‘s environment as this information could be used for future attacks for identifying specific applications for appropriate exploit.[32]

• Attackers can detect security software like antivirus, personal firewalls, PGP encryption software and Microsoft security updates They can also verify the use of virtual machine software, such as VMWare, which might be used at the target end for trapping the attackers The information obtained via social engineering is used by attackers in future attacks

3.2 Delivery Mechanism

Different delivery mechanisms that are used are as follows:-

 The delivery mechanism is mostly through an email or an instant messaging services through which the attacker lures the victim to downloading malware by clicking a malicious link The emails are often sent from webmail accounts, or from any other spoofed email addresses through compromised mail servers.[41] Such emails will contain an attachment either pdf or a doc or an xls or a .ppt which contain malicious code which is designed to exploit vulnerabilities of a specific version Adobe‘s PDF reader or Flash and some versions of Microsoft Office An attackers may use exe files as attachments, or provide links to download them

 A malware that uses Unicode characters to disguise the fact that it is an executable has been recently discovered Using this technique the attackers can change the extension types from exe to say doc and take advantage of default Windows configurations that do not show file extensions It has been observed lately that attackers trick users into thinking that EXE files are simply directories by making their executable‘s icon an image of a folder.[33]

 The attacker may hide EXE files inside of

compressed file formats such as ZIP or RAR

And they may be encrypted to avoid

network-based malware scanning

 Another mechanism called as drive by exploits

is seen in which the attackers simply includes

link to web page that contains exploit code

designed to exploit vulnerabilities in browsers

or browser plug-ins for installing the malware

on the victims machine

Rather than send the target to a completely unknown

web page, attackers are now compromising legitimate

websites that are contextually relevant to the target and

embedding ―iframes‖ that silently load exploits from

locations under the attackers control.[34]

The attackers use instant messaging and social

networking platforms like Facebook messages as

delivery mechanisms The New York Times reported

that the ―Aurora‖ attack on Google originated with an

instant message.[35][36]

3.3 Compromise and Exploit

The latest patterns of compromising are as follows:-

 For installing malware on the victim‘s

computer, attackers will use malicious code

designed to exploit a vulnerability, or ―bug,‖

of particular software They often exploit

flaws in Adobe‘s PDF reader, Adobe Flash

and Microsoft Office A recent attack involved

embedding a malicious Flash object inside a

Microsoft Excel spreadsheet.[37]

 Another pattern that has been observed is that

the Vulnerabilities in webmail services are

being exploited to compromise email

accounts Personal email are becoming a target

as users check their personal email accounts

from office.[38]

 Attackers have exploited the vulnerability of

MHTML as reported by Google in order to

target political activists who use Google‘s

services.[39]

 Recently one of the researchers in Taiwan

revealed a phishing attack based upon a

vulnerability in Microsoft‘s Hotmail service

Just by simply previewing the malicious email message the user‘s account may be compromised.[40]

 It has been recently seen that Cookies can also

be used to launch a Targeted attack

3.4 Command and Control

The trends and patterns observed in the command and control centres are as follows:-

A malware is executed on the target‘s system but it reports to one or more servers which are in control of the attackers Command and control mechanisms allow the adversary to confirm that an attack has been successful,

 The malware also provides information about the target‘s computer and network and allows the attackers

 To issue commands to the compromised target

 The installed malware acts as a dropper in such way that the attacker can instruct the compromised computer to download some more components that have additional functionality by downloading second stage malware like remote access tool/Trojan (RAT) which allows the attackers to gain real time control of the system

 For keeping the communication channel open between the compromised machine and the command and control server the controls may

be transferred to some other C&C center

 Malware is making use of cloud-based command and control so as to blend in to normal network traffic.[41][42]

 Some attackers register domains names for exclusive use while some attackers rely on DDNS services for free sub-domains The free sub-domains provided by Dynamic DNS services are used with off-the-shelf RAT‘s such as ghost and poison ivy As the attackers are offline, the domain names will be resolve

to localhost or invalid IP addresses, but when they come online the domains will resolve to

the IPs of the attackers Third-party locations

can be used to update these RATs as needed

 Customized DLLs are being created for

specific targets and the other RATs

5 Persistence / Lateral Movement

After getting inside the target‘s network, the adversary

maintains constant access to the targets network and

moves laterally throughout the network locating data of

interest for ex-filtration

 In order to maintain persistence, the initial

malware payload has some mechanism to

ensure that it is restarted after a reboot of the

compromised computer using simple methods

like adding the malware executable to the

windows ―startup‖ folder, modifying the Run

keys in the Windows Registry or installing an

application as a Windows Service It has been

reported that 97 % of the malware use one of

these three methods to survive a reboot of the

target system

 The attacker downloads Remote Access

Trojans (RATs) or tools that allow him to

execute shell commands in real time on the

compromised host

 An attacker may escalate privileges to that of

an administrator using techniques like “pass

the hash‖ and aim at mail servers.[43]

 The attackers often download and use tools to

―bruteforce‖ attack database servers, extract

email from Exchange servers and try to gain

VPN credentials, so that they may maintain

access to the network even if their malware is

discovered

3.6 Data Ex-filtration

The main aim of the attackers is to gain access to

sensitive data and transmit them to locations which are

under the attacker‘s control For doing so the attackers

will collect the desired data and may compress it using

RAR or Zip tools or even split the compressed file into

small portions so that they can be transmitted to

different locations which under the attacker‘s control

 Different transmission methods that are used like FTP and HTTP Attackers are now using the Tor anonymity network.[44]

 The malware sends directory and file listings

to the command and control server where the attacker may select specific files or directories

to be uploaded The attackers who use RATs may use the built-in file transfer functionality for doing so

4 Detection and Mitigation

Defence against targeted attacks should be focused on detection and mitigation rather than simply on prevention The ultimate objective of targeted attacks

is the acquisition of sensitive data so defensive strategies need to include the identification and classification of sensitive data and appropriate access controls can be placed on such data.[45]

 Developing threat intelligence based upon indicators that can be used to identify the tools, tactics and procedures of attack will help in defending against targeted attacks

 The information like domain names and IP addresses used by attackers to send spear phishing emails or to host their command and control servers must be properly recorded and updated from time to time

 Detection and monitoring of suspicious behaviors that indicate targeted attacks will help in mitigation of such attacks should be based upon the following:-

Logs from endpoints, servers and network monitoring should be carefully studied and can be aggregated to provide a view of activity within an organization that can be processed for anomalous behaviors that could indicate a targeted malware attack

 In order to maintain persistence, malware will make modifications to the file system and registry Monitoring such changes can indicate the presence of malware

 Security analysts with access to real-time views of the security posture of their organization should be in place to detect, analyze and remediate targeted attacks

 Education and training programs combined

with explicit policies and procedures that

provide avenues for reporting and a clear

understanding of roles and responsibilities is

an essential component of defence

 Sensitive information is not only stored in

databases but also in the cloud and is

accessible through a variety of methods

including mobile devices While securing the

network layer is an important component, it is

also critically important to specifically protect

data as well Identifying and classifying

sensitive data allows the introduction of access

controls and enhanced monitoring and logging

technologies that can alert defenders of

attempts to access or transport sensitive

data.[46]

5 Conclusion

Targeted attacks are high priority threats which are

difficult to defend Such attacks use social

engineering and malware which exploit

vulnerabilities in software to penetrate traditional

defenses Such attacks are often seen as isolated

events but they are parts of a larger campaign, or a

series of failed and successful intrusions After

getting inside the network, the attackers are able to

move laterally for locating and targeting sensitive

information for ex-filtration

The defensive strategies can be greatly improved by

understanding how targeted attacks work and their

trends and the tools, tactics and procedures that they

use As these attacks focus on the acquisition of

sensitive data, so defense should focus on protecting

the data itself, wherever it resides By effectively

using threat intelligence derived from external and

internal sources combined with context-aware data

protection and security tools that empower and

inform human analysts,organizations are better are

better positioned to detect and mitigate targeted

attacks

References

[1] Myla Pilao,– ―Divergence Of Cyberattacks :A Look Into The Cybercriminal Underground‖, Trend Micro

[2] Annual Report, 2013,CERT-In [3] http://googleblog.blogspot.com/2010/01/new-approach-to-china.html

[4] www.cbc.ca/news/technology/story/ 2011/02/17/cyber-attacks-harper142.html

[5]www.computerworld.com/s/article/9213741/Frenchgovt_g gives_more_details_of_hack_150_PCs_compromised, [6] www.rsa.com/node.aspx?id=3872010/01/new-approach-to-china.html, www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html

[7] www.wired.com/threatlevel/2011/04/oak-ridge-lab-hack/, www.reuters.com/article/2011/07/06/us-energylab-hackers-idUSTRE7654GA20110706

[8] http://cablesearch.org/cable/view.php?id=

08STATE116943

[9] www.threatchaos.com/ home-mainmenu-1/16-blog/571-strategic-industries-should-go-on-high-alert

[10] www.time.com/time/printout/0,8816,1098961,00.html [11]www.nytimes.com/2007/12/09/us/nationalspecial3/09hac k.html?ref=technology

[12] www.businessweek.com/print/magazine/content/08_16 / b4080032218430.htm

[13]http://events.ccc.de/congress/2007/Fahrplan/attachments/

1008_Crouching_Powerpoint_Hidden_ Trojan_24C3.pdf, [14] http://isc.sans.org/presentations/SANSFIRE2008-Is_Troy_Burning_Vanhorenbeeck.pdf,

[15]http://isc.sans.edu/diary.html?storyid=4177 [16] www.nytimes.com/2009/03/29/technology/29spy.html, www.nartv.org/mirror/ghostnet.pdf

[17] http://threatinfo.trendmicro.com/vinfo/web_attacks/

Stuxnet Malware Targeting SCADA Systems.html [18] www.symantec.com/connect/blogs/stuxnet-breakthrough [19] http://threatpost.com/en_us/blogs/report-iran-resorts-rip-and-replace-kill-stuxnet-072211

[20] Cybercrime:

http://us.trendmicro.com/imperia/md/content/us/trendwatch/r esearchandanalysis/ wp04_cybercrime_ 1003017us.pdf

[21]Zeus:

http://us.trendmicro.com/imperia/md/content/us/trendwatch/

researchandanalysis/ zeusapersistentcriminalenterprise.pdf

[22] FAKEAV: http://us.trendmicro.com/imperia/md/

content/us/ trendwatch/ researchandanalysis/

unmasking_fakeav_ _ june_2010_.pdf

[23]

http://computer-

forensics.sans.org/blog/2009/10/14/security-intelligence-attacking-the-kill-chain/

[24]http://computer-forensics.sans.org/blog/2010/06/21/

security-intelligence-knowing-enemy

[25] www.rsa.com/innovation/docs/SBIC_RPT_0711.pdf

[26]http://www.trendmicro.com/cloud content/us/ pdfs/

security-intelligence/white-papers/wp_trends-in-targeted-attacks.pdf

[27] www.nartv.org/mirror/shadows-in-the-cloud.pdf

[28]http://portal.acm.org/citation.cfm?id=1290

958.1290968&coll=GUIDE&dl=GUIDE&CF

ID=74760848&CFTOKEN=96817982

[29] www.computerworld.com/s/article/print/9015092/

White_House_use_of_outside_e_mail_raises_red_

flags?taxonomyName=IT+ in+ Government &

taxonomyId=13

[30] www.computerworld.com/s/article/print/

9114934/Update_Hackers_claim_to_break_into_

Palin_s_Yahoo_Mail_account ? taxonomyName=

Networking&t axonomyId=16

[31] www.nartv.org/2010/09/09/crime-or-espionage-part-2/

[32]

http://blog.trendmicro.com/how-sophisticated-are-targeted-malware-attacks/

[33]

www.nartv.org/2010/03/07/malware-attacks-on-solid-oak-after-dispute-with-greendam/

[34]

www.nartv.org/2010/07/29/human-rights-and-malware-attacks/

[35]www.nytimes.com/2010/04/20/technology/

20google.html

[36] http://blogs.aljazeera.net/asia/

2011/03/23/china-and-google-detailed-look

[37] http://contagiodump.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html

[38] http://blog.trendmicro.com/targeted-attack-exposes-risk-of-checking-personal-webmail-at-work/

[39]

http://googleonlinesecurity.blogspot.com/2011/03/mhtml-vulnerability-under-active.html

[40] http://blog.trendmicro.com/trend-micro-researchers-identify-vulnerability-in-hotmail

[41] www.nartv.org/2010/10/22/command-and-control-in-the-cloud/

[42] http://blog.zeltser.com/ post/7010401548/bots-command-and-control-via-social-media

[43] www.mandiant.com/products/services/m-trends/

[44] www.nartv.org/mirror/shadows-in-the-cloud.pdf [45] http://us.trendmicro.com/imperia/md/content/us/pdf/

products/enterprise/datalossprevention/ esg_outside-in_approach.pdf

[46] http://us.trendmicro.com/imperia/md/content/us/pdf/

products/enterprise/leakproof/

wp01_leakproof_dlp_100105us.pdf

Acknowledgements:-

We sincerely thank and acknowledge CERT-IN and the guidance and support from Ms Myla Pilao, Director, Trendlabs, Trend Micro The authors are highly thankful to them as the present review and study paper is largely based upon their reports, white papers and publications and as without it this paper would not have been possible

AUTHORS’ PROFILE

Alok Pandey is Senior Systems Manager at B.I.T.(MESRA),Jaipur Campus His qualifications include B.E.(EEE), MBA He is also MCSE, CCNA, RHCE, IBM Certified E-Commerce and has also done diploma in Cyber law He has Networking and System Administration experience of about 15 years He is teaching subjects like, Data Communication & Computer Networks and Network Security He is also a member of IAENG and ISOC His research interests include and Network Security & Computer networks