Joe Stewart, director of malware research at Dell Secureworks, spends his days looking at APTs in an effort to help classify them and to figure out where they might be coming from. APTs are unique forms of malware that are typically targetted at a specific organization.
"One of the big problems is classification, you've got malware that may or may not be detected by antivirus, but even when it is, the a/v may just say it's 'xyz', without telling you anything useful," Stewart told InternetNews.com.
He noted that it's interesting to see whether or not the malware has been seen before and if it was involved in a particular attack and has been used by a particular group. Stewart said he gets 30,000 pieces of malware in an average day that he tries to classify.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=iStewart explains that he uses a Linux environment while all the malware is Windows executables. As such he noted that there is very little chance for contamination. In his research, Stewart has found that there are lots of different APT families, but they all tend to share some common characteristics.
"It's usually a simple command set that includes, list a directory, read a file, upload a file and run a shell command," Stewart said.
As part of his ongoing research, Stewart was able to correlate APTs from the recent RSA attack to four different malware families that he has classified as being APT related. Those APTs were then further correlated to a number of ISPs operating in China. The APTs were all using the HTran bouncer code which serves to proxy traffic to the APT hub or source.
"We've noticed that there is a cluster of activity almost a hub for malware, so there is likely an actor group that is using that infrastructure," Stewart said.
In an effort to help other organizations, Stewart has release a SNORT IDS signature to help enterprises detect and block some of that APT activity. Stewart said that if an APT threat is detected, cleanup isn't quite the same as regular malware.
"Get someone who knows what they're doing because it's hard to eradicate," Stewart said.
Convincing an enterprise security group that the malware threat they face is more than just a typical botnet type of infection is also no easy task. There are lots of IT people in different industries that don't consider themselves to be a target for an APT.
"You have to educate and convey the urgency," Stewart said.
With the RSA type threat, simply scanning for the HTran redirector is not enough to actually detect if an organization has been infected by an APT.
"If the scan comes up negative, that is not a clean bill of health," Stewart said. "You have to ask yourself if you have something of value that someone wants to go after and there are a lot of people that don't realize the value that they have."
Cisco and Sourcefire are among the groups that have reported an uptick in APT activity this year. In Stewart's view, the rise in APTs could just be due to the fact that security researchers are now discovering more APTs, as opposed to attackers generating more APTs. Stewart added that keeping information private about APT attacks doesn't help the IT community.
"I think we're getting better at sharing intelligence and sharing information about the indicators," Stewart said. "In the past, people were very fearful about disclosing that there even was an attack."