APT attackers getting more evasive, even more persistent

Fear of discovery fuels sneakier tactics by writers of persistent malware

Stealth has always been a hallmark of Advanced Persistent Threats (APTs), but writers of the malignant malware are ratcheting up their efforts to evade detection by system defenders.

Not only have they honed their skills at simulating legitimate documents likely to be opened by the targets they're sent to, but they're also sharpening their delivery techniques to avoid detection.

"The new breed of APT attacks are not monolithic, rather they are blended, relying on numerous infiltration techniques," said FireEye in its Advanced Threat Report for the second half of 2012. The report was released this week.

[See also: In depth: What does APT really mean?]

It cited one APT attack that incorporated well-known documents and white papers into its phishing campaign to infect a target. "The attackers took these normally safe documents and weaponized them," the report said. "These documents were weaponized with a variation of three PDF exploits and two Word exploits."

Two new evasion techniques identified in the report involve recognizing mouse clicks and virtual machines.

With the mouse technique, the malware would not perform an operation unless a computer's mouse was in use. It did that to fool an organization's cyber defenses, according to Rob Rachwald, director of research and communications at Milipitas, Calif.-based FireEye.

"It made it look to detection systems like it was software run by a human," he said in an interview. "We've seen some of this in the past, but we've seen more emphasis on this today."

The tactic may be a reaction to companies "sandboxing" applications to catch bad apps before they can damage a system. "It's an effort to bypass traditional, less-sophisticated sandbox technology," Rachwald said.

The virtual machine ploy is a simple one. The malware won't run if it detects that it has landed on a virtual machine. That tactic addresses a growing trend among defenders to use virtual machines to run sketchy apps to determine whether or not they're malware.

"The problem is some of them aren't doing it in a very sophisticated way," Rachwald noted. That allows infected programs to pass the virtual machine test and continue on their infectious path.

APT mongers are becoming more savvy at countering defensive measures mounted against them, according to Ken Silva, senior vice president of cyber strategy at ManTech International in Fairfax, Va.

"The more common that the defensive tools become, the craftier [malware writers] are about how they get around those tools, how they detect them and how they hide from them," he said in an interview.

Once net marauders breach a system, they're also being more careful about getting detected. "They're not leaving traces on a hard disk," Silva noted. "They're just loading into memory and staying in memory."

That can be precarious because if a machine is rebooted, the malware will disappear. However, Silva explained, "In a large enterprise, you can often find a server that's on 24 hours a day."

Jon Clay, a senior manager at Trend Micro in Cupertino, Calif., agreed that data bandits are getting more adept at covering their tracks after compromising a system. "The bad guys have added a maintenance phase to allow them to remain persistent a lot longer," he said.

"A lot of that involves cleaning up after they're done with a system," he continued. "As they move from one system to another, they're going to wipe their tracks from a previous machine.

"That's happening on a regular basis," he added.

On the plus side for defenders, awareness of APTs has risen over the last year due to some high-profile incidents -- notably the attacks on major U.S. media outlets -- and comments by high-ranking government officials, including President Barack Obama.

"A year ago, these things were happening and they weren't talked about very much," George Tubin, a senior security strategist with Trusteer in Boston, said in an interview. "Enterprises found compromised computers and would keep quiet about it.

"We still see a lot of that today," he continued, "but more and more institutions are becoming more public when they do discover APTs."

Join the discussion
Be the first to comment on this article. Our Commenting Policies