Advanced volatile threat: New name for old malware technique?

AVTs are not widespread -- yet -- because 'APTs are working just fine,' says Triumfant CEO. But they could one day start a cyberwar, he said

There is something worse than advanced persistent threats (APT) out there -- a stealthier attack vector called advanced volatile threats (AVT), says one security company.

But several other security experts said while any kind of successful attack technique is a concern, AVT is just a new name for an old problem.

APTs have been on the lips of everybody in the security community and beyond this week, following the release of Mandiant's 60-page report documenting the name and location of what they said has been one of the most active APT groups in China at least since 2006.

But security startup Triumfant said this week that a newer, stealthier and more damaging threat is being used by sophisticated nation states like China, Iran and Russia for cyberespionage. "The Chinese are just getting started," Triumfant president and CEO John Prisco said after the release of the Mandiant report.

"We have become familiar with the term Advanced Persistent Threat or APT," he said. "Get ready to know a new and more devastating attack -- the AVT or advanced volatile threat," he said.

"[AVTs are] the drive-by shooting equivalent of a persistent cyberattack," Prisco said, "It is an attack in volatile memory that wipes its 'fingerprints' before leaving and after it has stolen your intellectual property."

And they could be the start of something bigger. Prisco told CSO Online Thursday that while AVTs are primarily used for espionage, to steal classified information and intellectual property, they could lead to actual war. "AVTs are the equivalent of the military adding a stealth aircraft to the battlefield," he said. "The long-term result of AVTs and similarly devastating attacks is that we could eventually see some form of kinetic response from the U.S. government, especially with critical infrastructure attacks."

He said nobody knows how pervasive AVTs are yet, but estimated their use at around 10%, because so far, "hackers can easily infiltrate a system without having to use an AVT -- the APTs are working just fine."

[In depth: What does APT really mean?]

But Wade Williamson, a senior security analyst at Palo Alto Networks, said what Triumfant calls AVT is just one of the many techniques malware uses to avoid analysis, as opposed to some new class of malware. "Papers have been presented for years showing malware that never has to call anything from disk or is never resident on disk," he said.

Kevin McAleavey, cofounder and chief architect of the KNOS Project, called AVT a redefinition of the well-known term, memory resident virus. "The first memory resident virus was known as Lehigh, which made the rounds in 1987," he said.

McAleavey agreed that malware that is not persistent is tricky to spot. "Traditional antivirus solutions depend on the presence of a file existing - that's what they detect and look for, attempting to intervene in the completion of that file being loaded into memory and run as a program," he said. "No file, no detection."

Williamson cautioned that the term AVT could be misleading. "It is obviously a play on the term APT, but the fact that it only lives in memory and never touches disk means that it is a very different type of threat," he said, noting that it can only steal information when the computer is running, and the exposure ends when the user shuts down the machine.

"This is almost the exact opposite of APTs which are designed to be low and slow and persist in a network for an extended period of time," he said. "For example, Mandiant saw most attacks lasting for 356 days -- these volatile attacks would be limited to part of one day in most cases."

Prisco said he has stressed that difference in arguing that that is one of the things that makes AVTs so dangerous and difficult to track or defeat. "An AVT comes in, exfiltrates the data it's looking for and then immediately wipes its 'hands' clean leaving no trace behind as the computer is shut down," he said.

And he said that while attacks that live in memory are not new, the industry is not very good at detecting them in the memory. "Everything about the AVT shouts out real time -- you have to be able to catch it in the act red-handed," he said. "If you don't, you've already lost."

Prisco said the only way to deal with AVTs is with anomaly-based detection tools that live on the individual computer, which his company offers.

"It's not a matter of if you'll be breached, but when," he said. "You have to have a tool that is able to engage in hand-to-hand combat with the hacker [or] malware. The only way to do this is to be on the same battlefield as the attacker -- the computer."

McAleavey said it has long been a best practice to have tools that scan memory, and not just the file system.  He said an antimalware solution he was involved with creating in 1999 called BOClean, after an exploit called Back Orifice II, was designed to do that.

"All malware exists in memory, whether or not it starts from a file, and monitoring memory assured that we would always catch such malware no matter what its origin," he said. "So, there's nothing new here to me."

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)