Cybersecurity and ConvergenceAdvanced Persistent Threat: Key featuresof modern malwareBy Don Maclean,Chief Cybersecurity Technologist,DLT SolutionsMalware, like legitimate technology, progressesat breakneck pace, continuously introducingnew and ingenious features. Sadly,the technical sophistication and ingenuity, ifaimed at legitimate goals, could benefit theworld – and the developers themselves. Let’s take alook at some of the salient features in today’s world ofmalware.Targeted and Self-LimitingMost malware tries to spread as quickly as possibleto as many systems as possible. The more infectedsystems, the greater the damage and the wider thedragnet for gathering data illicitly. Wide dispersion,however, multiplies the odds of detection and speedsremediation.Advanced Persistent Threats (APTs) work differently.Aimed at a specific company, individual, or groupof systems, this pernicious class of software stays underthe radar as long as possible by infecting a smallgroup of high-value targets. It’s a sniper rifle, ratherthan a machine gun.Some APTs are so precisely targeted that they erasethemselves if very specific circumstances – operatingsystem version, configuration settings, file versionsand other parameters – are not present. They even createinstallation keys based on the requisite parametersto ensure proper targeting.APTs are also far less “persistent” than the namewould suggest. Many of them uninstallthemselves by design at a pre-designateddate, or when they have achieved a specificobjective. Still others will self-destruct immediatelywhen they have been discovered,or if they detect a virtual environment commonlyused for detection, detonation, andanalysis.Campaign-OrientedAPT designers do their homework and are patientenough to mount long-term, multi-stage campaignsto compromise a high-value target. For instance, the“Duqu 2.0” malware that recently infected KasperskyLabs was clearly designed to evade the very specificmalware protection systems in use on the target system.Success required thorough reconnaissance to determinethe detection systems in use and painstakingresearch to create highly specific evasion mechanisms.Windows will not allow installation of drivers lackinga valid digital signature. Consequently, malwarerequiring a driver must either evade the signature requirementor use a stolen certificate. The latter methodis rare, because stealing a certificate is difficult evenfor advanced hackers, but its use indicates the lengthsto which bad actors will go to compromise their target. [1]Advanced Design ElementsModern malware exhibits a wide range of highly sophisticateddesign elements features. I’ll look at a fewin-depth and list the others for those who want to digin deeper on this topic.Hiding Command-and-Control Traffic26
Hackers control compromised systems through customizedcommand-and-control (C&C) systems. C&Ctraffic can trigger intrusion detection systems, whichhackers try – often successfully – to evade.One technique is to encrypt the C&C traffic, whichof course requires decryption by the target system.Another technique, called steganography, is to hidethe C&C traffic inside a file – often an image file – thatappears innocuous. [2]Some malware combines these techniques by encryptingthe C&C traffic before “smuggling” it inthrough an image (or other) file.Encrypting and Compressing Stolen DataData loss prevention (DLP) systems can detect whendata is moving to places it should not go, so APTs encryptthe ex-filtrated data to avoid triggering the DLPmechanism. As with the C&C traffic, APTs will takethe extra step of embedding the purloined informationin an image file using steganography. To add fuelto the fire, some APTs use multiple encryption methods,further complicating the detection, analysis anderadication processes.APTs also compress stolen data for several reasons.First, smaller quantities of data are less likely to be noticedby humans or by automated detection systems.Second, it adds another layer of obfuscation to thedata. Third, it is simply a more efficient way to transferlarge quantities of information. Again, as with encryption,APTs will make life difficult for the victimby using multiple compression algorithms. Moreover,the algorithms, both for encryption and compression,are often rare and are used in ever-varying combinations.[3]MisdirectionOkay, this element is not terribly advanced, but it’sworth mentioning. Some malware will embed signaturesor tell-tale signs of other well-known hackergroups. For instance, the Duqu 2.0, malware, whichrecently infected Kaspersky Labs, included referencesto a Romanian hacker group. Researchers quickly realizedhowever, that the malware could not have comefrom that group. [4]Use of Zero-Day ExploitsIn the hacker world, zero-day exploits are boughtand sold regularly. Modern malware will leveragezero-day attacks, often using multiple exploits in complexcombinations, to remain undetected as long aspossible.Other sophisticated design features include:- Virtual file systems;- Modular design to customize the malware to thetarget;- Code obfuscation to hamper reverse engineering;- Avoidance of resource starvation (run “low andslow”);- File-less installation (e.g., Windows can run codedirectly from the registry);- Cloud deployment, or “malware-as-a-service” (itwas just a matter of time)27MitigationIt’s all well and good to understand APTs, but the mainquestion is how to protect your systems from intrusionfrom modern malware. As we have seen, APTs use alarge array of attack techniques, so the best protectioncomes from a wide array of defenses. Start with thebasics: limit and monitor administrative privileges,keep the operating system and applications patched,perform regular vulnerability scans and employ applicationwhitelisting when possible. Encrypt your data,so if it does get exfiltrated, the attackers will need tosteal keys as well. You may not stop them, but leastmake their task as difficult as possible. Use as manyoverlapping defenses as you can afford, but preparefor the worst and know what to do if you are compro-