Speaking at the B-Sides London conference, Candid Wuest, senior software engineer at Symantec advanced threat research, discussed the sophistication of targeted attack malware.
He began by saying that not all attacks are after money or intending sabotage, and that "banking Trojans have been there and will remain there because they work".
Of the millions of variants seen by threat labs, he said that there are some sabotage attacks, and highlighted the Bit9 and Adobe certificate attacks, Flame and Stuxnet, but said that there is not an average script landslide, calling the Jokra Trojan not really that sophisticated, as it can be achieved with the right amount of research.
He said: “Stuxnet was not as sophisticated as everyone claims, but it worked. The next stage is getting stuff out of businesses and that is pretty simple too as attackers use HTTPS so the traffic is not detected by the firewall or intrusion detection system.
“Targeted attacks do happen, but it is not always about fancy stuff – but it does happen, as it can be profitable. Tools are often off the shelf but sophisticated, so why put more effort into it? Many attacks use the Poison Ivy Trojan, as it is less likely to be detected in a targeted attack, as detection does not care about the smaller threats.
“There are people behind Trojans, not machines, and they log in and search for stuff on your machine and at the end, it is just a shell.”
Asked why anti-virus does not pick up these commonly-used threats, Wuest said that it is difficult to say, as it comes down to signature versus reputation and behaviour-based anti-virus detection. “People are swamped and we see 1.6 million variants every day,” he said.