When is the next MANDIANT webinar?
The State of the Hack: It's the End of the Year As We Know It will be on Thursday, December 10 at 2:00 p.m. Eastern time.
How can I get a copy of Memoryze or other free MANDIANT tools?
All of our free tools, including Memoryze, are available for download here.
Does VirusTotal publish hash lists?
While VirusTotal currently supports searching by hash, it does not publish hash lists of known malware publicly.
Over 1 million malware submissions per month that’s a lot of coding! How many people do you think are developing malware? Or is malware generation so automated that only a few individuals are “in the game”?
I can’t speak to how many people are writing tools for the APT, but the code does not seem to be auto generated. There appear to be at least several different groups of attackers, all under the APT umbrella, but we don’t know the number of people in each group.
When looking at Mass-Malware the picture is a bit different. A large portion of the new pieces of malware seen every month belong to a few large families. Those pieces are often generated by automatic means from a core set of features particular to the family. The objective of all these mutations is to make their detection and handling harder.
How effective have you found “fuzzy hashing” of the .text, .data, etc. sections of PE file to be in defeating polymorphism of mass malware and aiding in on-disk detection?
Like most of the techniques used by detection engines, “fuzzy hashing” and others will work in a fair amount of cases, but start to fail for a subset of them. It’s the combination of techniques that offers the best results trying to catch as much malware as possible.
How did you know about the non-detect percentage of malware?
We found it in the client's environment, and we verified that their A/V solution had not detected it. And that wasn’t because their A/V solution was sub-par; often times, no A/V product alerts on APT malware.
Does MANDIANT submit APT malware to the antivirus vendors?
Frequently, we do not. There are several reasons for this. One: often our clients request that we keep their incident confidential. Two: submitting the malware to public databases would alert the enemy that their tools have been detected – and frequently, the network defenders don’t want to do that.
Do the APT attackers keep trying to penetrate an environment using spear phishing, even after they’ve achieved persistence in the target environment?
No, if the APT already have access to their target’s environment, they have no reason to keep trying to penetrate the network – they’re already in. If they lose access, though, we’ve seen them quickly use spear phishing to regain access.
What kind of information is the APT after? What’s valuable to them? The APT is after any intellectual property that is of interest to their target. They also monitor certain company communications for additional information. Unfortunately, we can’t say exactly what we’ve seen the APT go after without giving away details about our clients and specific intrusions. Suffice it to say, if you were an attacker picking on a Fortune 50 company, what information would you want? That’s probably along the lines of what the APT wants.
Malware expects outbound 80/443 to be allowed. What if corporate web traffic traverses a proxy server, would this defeat most malware sending traffic over 80/443?
A portion of APT samples are proxy aware. I don’t have the exact statistics but it may be interesting to generate for the future.
Another interesting thing is this: the APT adapts to the defenders’ environment. We have seen targets implement defenses, only to have the APT escalate over them. For example, a client of ours was compromised with malware that beaconed directly out using HTTP. So, they implemented proxy servers and forced all their traffic through them. So the APT delivered an improved version of their malware that used the Internet Explorer proxy settings (which put them back in business). Then the client implemented proxy user authentication. And the APT delivered another version that stole the authentication settings from IE. And so on. It really happens – they version their code just like good software engineers do.
Have you seen any APT use secure deletion methods?
Yes.
Less stealth? Are the attackers hooking into other processes and hiding so it would still appear by using tools like Rootkit Unhooker or Memoryze? More specifically, hiding their files and registry entries through kernel hooks.
APT backdoors don’t hook the system calls, because it’s too obvious and easy to spot. A hook is an anomalous behavior and can be easily identified. The APT can be found in memory using tools like Memoryze or Intelligent Response, but hook detection alone will not help you pinpoint the APT. It’s one of several techniques they use in combination.
What controls were missing that could have prevented the Fortune 50 example incident (i.e. application whitelisting, DEP, URL whitelisting, BHO whitelisting, etc?)
(Michael J. Graven here; I was reading out the questions.) Whitelisting is an interesting idea that could help fight APT compromises, but it comes at a cost that can be difficult to swallow.
When you decide to whitelist – either in a web proxy or program execution context – you are working from the assumption that you can define exactly all the things (websites, programs) that you need to conduct business: no more, and no less.
In some cases, this works out. For example, suppose you had cash registers and were worried about credit card theft. You know all the software that is supposed to run on your cash registers; you know the filenames, versions… everything. But do you know that about your end-user workstations?
We see a lot of environments where the end users still have administrative privileges on their workstations. If you have taken that away from your general user population, congratulations! But, can you account for each and every process that any user in your company could ever need to run? That’s a pretty tall order.
Further, the APT tends to use vulnerabilities in widely-used products, ones that you’d probably trust. This year has seen a lot of patches for Adobe Reader. In order to be safe from the pre-0day use of those vulnerabilities, you’d have to blacklist Reader. I guess you could spec an alternate PDF reader, and an alternate office suite, and not use Outlook for your email, etcetera. But I’ve worked in environments like that, and it can get pretty tedious to use software that’s different from all your business partners.
Data Execution Prevention (DEP) and Browser Helper Object (BHO) whitelisting I’m not as familiar with. Microsoft provides some basic blacklisting with ActiveX killbits, which helps some. And there are folks who are advocating heavy use of DEP on common targets of 0day attacks. I hope that’ll help; it’d be great to get some metrics from an organization that’s done DEP on a large scale.
Popping back up a level to the original question: What controls were missing? Unfortunately, the best control would be a nontechnical one: controlling the user population so they don’t get tricked into opening these rigged spear phishes.
But that’s almost impossible. You do the best you can, raising awareness, interdicting the obvious, but at the end of the day, you pretty much have to accept that compromise will happen. When it does, reacting quickly and comprehensively is the key to limiting the damage. Check out our webinars on incident response for more of our thoughts on that (and stay tuned, we’ll have more of them.)
Is there a common effort by OS vendors to enable OS features that can help? Like restricting software signed by known publishers?
I am not aware of a common effort by OS vendors. Digital signing of binaries is becoming more commonplace, and that can help identify quickly processes that are “untrusted.” However, it would not prevent infection or execution.
When we’re looking at the filesystem of a potentially compromised machine, listing the binaries that are purportedly normal system binaries but which lack a vendor digital signature can be a quick way to assess outliers. As we said, the APT tries to look as “normal” as possible – but that doesn’t extend to hash collisions and stolen RSA credentials. We use PE header analysis, too, to check things like these signatures – you could try our Red Curtain freeware or the Intelligent Response agent to get an idea of the features we find useful.
