In an earlier post, I introduced the concept of “Advanced Persistent Threats” & “Designer Malware” at a very high level, the ‘101′ if you will. You may recall my reference to the article which Business Week ran in 2008 which addressed, briefly, the concept of Advanced Persistent Threats (APTs). No one knows for certain the true reach of such threats but it can safely be assumed based on both historical and current information, that instances of such threats continue to grow with many going unreported to authorities or information security professionals for fear of the consequences associated with having been found first vulnerable and second compromised. Though there are many means by which a given threat might be introduced into an organization, some work better than others. Some of the most successful in fact, still rely upon the most obvious and oldest of all threat vectors, human nature. Human nature is wondrous thing; complex, multi-faceted, representative of all that we are: good and bad. It aides in defining us however it is not what defines us.
In June of 2006, Mike Bond and George Danezis of the University of Cambridge Computer Laboratory released a paper which posed an interesting question regarding the role in which human nature plays with respect to exploitation and compromise of both systems and people. In fact, in their abstract Bond and Danezis stated the following “We study malware propagation strategies which exploit not the incompetence or naivety of users, but instead their own greed, malice and short-sightedness. We demonstrate that interactive propagation strategies, for example bribery and black-mail of computer users, are effective mechanisms for malware to survive and en-trench, and present an example employing these techniques. We argue that in terms of propagation, there exists a continuum between legitimate applications and pure malware, rather than a quantised scale.” I loved this paper from the first time I read and have had conversations with its authors regarding their views, I highly recommend it to anyone in our field as its relevance is indisputable as its timeliness.
It is key to recognize and emphasize the importance of malware propagation strategies being diverse. The vehicle for delivery can take many forms and require many variables be present and available. Attempting to compromise both systems and personnel requires that a discretionary mode thought be employed in order to choose the most simplistic yet effective means for accomplishing the goal. In short, adherence to the principle identified and immortalized by William of Ockham “entia non sunt multiplicanda praeter necessitatem”, (“when you have two competing theories that make exactly the same predictions, the simpler one is the better.”), also known as Occam’s Razor.
With respect to Advanced Persistent Threats I’d like to focus the remainder of this entry on the reinvention of the Trojan. I am going to focus on Trojans today as of late, I’ve been dealing a lot with them and find the evolution revolution taking place with respect to them quite interesting. Like all malicious programs, Trojans rely upon obfuscation in order to avoid being identified, detected, shut down and / or removed by a user or administrator. This reliance upon obfuscation is paramount in the successful introduction and installation of Trojans as they typically attempt to convey a sense of benignity and / or usefulness to the user or environment they are being targeted toward or via the application or mechanism being used for this purpose. Often times this pseudo-benignity creates a false sense of security in the target and ideally finds the target susceptible and willing to install the Trojan without knowing exactly or truly what it does.
Many factors influence the manner in which the payload will operate and to what degree and what schedule but ultimately, the goal is to infiltrate, install and subsequently deliver the payload (again as defined by the author), within the host environment. Trojans themselves fall into the category of malware which lacks the native capability to self-propagate (a la viruses) or replicate (a la worms) which requires them to leverage an alternate mechanism for distribution. As mentioned above, the path of least resistance is often the best and depending who and what is identified as being the target of opportunity the choice of distribution method may vary with the net effect being the same. Popular means of distribution involve either exploitation of vulnerable systems via direct targeting, randomized exploitation via malicious websites and domains (a la ‘drive by infections’), peer-to-peer file sharing and /or the ever popular ’sneaker net’ via compromised USB.
As of late, it’s become more and more popular amongst malware authors in the underground to implement command and control mechanisms within Trojans enabling greater degrees of administrative response in addition to creating an environment which responds bidirectionally to the botmaster in question. Clampi, Monkif, Grups Trojan, and URLZone Trojan are great examples of this. It is important to note that the rate of change being noted is great and that the subsequent re-engineering of malware samples of this type more common. Changes such as these imply that the traditional use cases for such malware (though still applicable), are in fact also shifting. As a result, the need for greater degrees of awareness, beginning with solidly architected security programs & education / awareness campaigns be employed and coupled with both technical and procedural controls.
In my next post we’ll discuss the rampant growth and resurgence of rootkits and backdoors as they pertain to APTs and Designer malware and what potential impact they are having today and may have in the future.
Comments
Leave a Reply
Tweets that mention Advanced Persistent Threats & Designer Malware 102: Reinventing the Trojan : Cassandra Security -- Topsy.com on 10.07.2009
[...] This post was mentioned on Twitter by AccessData. AccessData said: "Advanced Persistent Threats & Designer Malware…" http://bit.ly/2×0PwK [...]
Will Gragido on 10.07.2009
Thanks AccessData!