Defining Advanced Malware is as Difficult as Preventing It (Part 1 of 2)

Advanced targeted attacks—or the ubiquitous advanced persistent threat (APT), if you prefer—have captured the attention of the security industry because of their clandestine and sinister nature. Unfortunately, it is almost as challenging to get the security industry to agree on what constitutes an APT as it is to protect against one, but we can identify and agree upon a few common themes.

Before I begin, I do want to make reference to testimony before congress from Richard Bejtlich, currently CSO at Mandiant, and formerly USAF. Rather than summarize, I'll quote from the hearing on "Developments in China's Cyber and Nuclear Capabilities:"

"...I use the strict definition of APT as created by the Air Force in 2006, namely as an unclassified reference to intrusions sets ultimately traced back to actors in China."

This is a very fair and accurate definition. However, at the core, it requires the big "A"—attribution. Private companies (excluding government contractors) rarely have the ability to accurately identify a specific attacker, hence, making the distinction among a PLA unit, university training program, or contracted hacker, difficult. Because of that missing link, and the fact that many have misused the term, many attacks are miscategorized as APT simply due to being "advanced."

Having said that, whether an attack is APT (or more accurately, if the attacker is the APT), or whether the attack is from another well-financed adversary, the TTPs have significant overlap. A typical scenario combines sophisticated exploits and social engineering to breach networks, execute malware instances, and establish communication with command and control (C&C) servers. As a result, technologies that examine executable files, monitor outbound communication, or analyze suspicious patterns in the network have become very popular; however, the effectiveness of some such solutions is questionable at best since advanced malware is constantly evolving to stay a step ahead of detection.

In this post, I will delineate the key characteristics of an advanced persistent threat and discuss some of the common approaches to mitigation. In a follow-up post, I will deconstruct why these common approaches are little more than a Band-Aid on a gaping wound.

The Anatomy of an Advanced Persistent Threat

First off, the "APT" is a "who," not a "what" or "how," although the majority of the industry doesn't make this distinction. It may sound as foreign as when a root server operator refers to "The DNS."  Regardless, an attack from the APT typically begins with an exploit against ubiquitous software, typically a browser, document renderer, or media viewer. The other major vector is using alluring forms of social engineering to convince users to open infected files (think a cleverly named .chm/.hlp or .scr/.exe/.pif wrapped in a zip/rar/7-zip file). Email attachments and URLs are the most prevalent attack vectors, but certainly things like targeted malicious ads, attacks of public-facing infrastructure (think Web or database servers), and physical breaches, can be—and have been—utilized.

Some far and wide will try to convince you that all attacks from the APT leverage zero-day vulnerabilities and brand new malware families, but that is a fallacy. The APT uses the bare minimum amount of effort to compromise targets. Akin to the DoD colloquialism, "When it absolutely, positively, has to be destroyed overnight," zero-day exploits are used. However, when it comes to the day to day attacks we see from those same actors, they are using exploits against vulnerabilities for which the vendor has provided a patch, or attacks that don't have an exploit at all. The reality is that not all the threat actors are A-team players, and more importantly, when the less sophisticated exploits have a >0% success rate, why burn a zero-day? There is no retribution for failed attacks, after all.

Regardless of how the breach occurs, the exploit creates a malware instance on the host, either on disk or by injection into a process. In turn, that instance beacons out to a C&C server, generally using some sort of encoding or weak encryption.  SSL is used in subsequent payloads, but generally not in the initial dropped binary.

Preventative Measures

As we can see, targeted malware attacks exploit multiple vectors and executes complex operations from within the network. Many technologies that touch on only one aspect of this process claim to be able to stop it as a whole. This is misleading. In reality, this is like claiming that you’ve solved your mouse problem by strategically purchasing one giant trap.

There are three primary network-based technologies the security industry touts as solutions to targeted malware:

  1. Those that examine executable files for maliciousness;
  2. Those that attempt to discover the outbound communication of the malware; and
  3. Those that scan the body of the communication for known patterns, such as social security or credit card numbers.

When prodding vendors for actual technical details for the above attack scenarios, one will find that APT detection capabilities boil down to:

  1. Discovering C&C channels by analyzing IP connections for known badness (public/private blacklisted IPs/CIDRs);
  2. Analyzing DNS queries (searching for blacklisted domains, fast-flux, strange cc/gTLDs, recently registered domains, etc.); and
  3. Sending malware back to the vendor’s cloud and having analysts manually identify unique indicators such as specific User-Agents, URL/URI patterns, or patterns in callback frequency.

If only it were so easy. Ask any vendor how those tools could stop something as simple as when the APT creates a single gmail account, weaponizes a word doc with a recently compiled payload specific to you, and beacons out through a newly created blog hosted on the domain yahoo.com. Or when they eventually use a zero-day vulnerability and pull down a remote payload embedded inside a well-formed image file. Or worse, when they embed their entire C&C protocol on a service such as Box.net or Google groups, which is SSL based and has a good "reputation." In general, adversaries are human beings, and humans get creative when it comes to "hiding in plain sight." In my next post, I will provide more detail about how advanced malware evades defenses, but for now I hope to have provided a better understanding of the complexity of this challenge and the simplicity of many of the so-called solutions.