Security firm Trustwave has discovered malware laced tax software in two of it’s western customer’s networks after they opened offices in China.
The bank said the software was required to pay local taxes. In fact the software did perform that function.
Trustwave calls this malware GoldenSpy and said that it installed a backdoor in their client’s computer. The backdoor allowed the Chinese to connect to the computer, install other malware and run Windows commands.
GoldenSpy installs two copies of itself and will automatically reinstall itself if one of the copies is discovered. It also has other self-protection measures.
It also waits two hours after the tax software is installed to silently install the backdoors.
There is no way to prove how the malware got there, but given they are in China and a western company, you can draw your own conclusions. Credit: ZDNet
Okay, so what does this mean?
It is not completely clear, but certainly it raises some questions.
Assuming you are not doing business in China, should you worry?
There is nothing special about the technique used and, in fact, the NSA is reported to have used it against folks that they want to monitor.
The technique could be used by
- Nation state actors
- and probably a host of others
Since *you* installed the software voluntarily, most of the security controls in your system will not detect it.
We have seen a number of attacks like this over the years. Sometimes hackers compromise a developer’s computer and insert the malware there. That way, when it gets checked in and compiled, it is not detected.
But that is only one way the malware can get there.
Traditional anti-virus/anti-malware software will not detect this.
What will detect this is software similar to Trustwave. They do managed security services (we offer a similar product that is well suited to small businesses).
What the software needs to do is detect unusual behavior like accessing data that it should not, connecting to web sites that it should not, installing software etc.
Generally interpreting what the alerts mean requires an expert.
What is less clear is how frequently this happens because most companies do not have software/services like these companies did. There also are no laws requiring companies to report these types of attacks unless the company is publicly traded and the attack materially affects the company’s balance sheet.
Assuming that the software doesn’t break anything, it likely would go undetected. Forever!
If you do not have anything in place to detect this type of malware, you should definitely consider it.
Historically, these types of attacks are designed to steal intellectual property. IP Theft is more difficult to detect because there are no systems in place nationally to detect these types of theft like there is for credit card fraud. In addition, IP theft has a long shelf life. If you steal information about a company’s business processes, for example, that information will be valuable until the company no longer uses those business processes, which could be decades later.
If the IP theft is controlled by a competitor, then that competitor could use that information to unfairly compete with the company who’s information was stolen.
If you need more information, please contact us.