What Advanced Persistent Threats look like

  • Article

While at that same Virus Bulletin conference that I was talking about earlier in my other two posts, I attended a session put on by some folks from MessageLabs that talked about the observations that they have made regarding Advanced Persistent Threats, or APTs.  What do they look like?  What are some of their characteristics?

I’m going to assume that my readers know the basics of what an APT is.  Given that, a typical piece of malware or spam is non-targeted.  It has no regard towards the recipient (e.g., a rogue anti-virus that promises to clean your computer doesn’t care who you are, it just wants your computer).  It is sent to many, many recipients and they are frequently kit based, that is, do-it-yourself malware kits like Zeus allow a relative amateur to create their own malware.  Furthermore, the business model is pretty clear: infect the user and rent out the bot as part of a botnet, or steal the user’s credentials.

By contrast, an APT is targeted.  The messages that they arrive in are relevant to the end user.  For example, somebody might send me a message telling me to open an attachment to see the newest version of the Charlier pass (a sleight-of-hand maneuver in card magic).  APTs are also sent to a small number of users and the malware is customized for the recipient.  Finally, the business model is obscure, it is unclear how the attacker ever plans to monetize a successful infection.

How do we discover APTs?

Unfortunately, discovery is all done after the fact.  First of all, given a bunch of spam complains, the obvious stuff or duplicate stuff is removed (such as a UPS phish).  Next, false positives and botnet prototypes are removed.  Finally, with the list whittled down, more detailed analysis is performed on this smaller sample size. 

Victims generally follow a Pareto distribution, that is, a very small proportion of the population receives the majority of the phish attacks.  Let’s call it Occupy Threat Street.

However, similar to Chinese malware, there is frequent code reuse amongst malware delivered by APTs.  Some Many of them use the same vulnerability.

In terms of the targets, there frequently are relationships between people.  For example, Eric Schmidt and Al Gore might be targets of an APT back in the year 2009.  What do they have to do with each other?  One is the CEO of a very large technology company (Google… back in 2009) while one is an environmentalist, vice-president of the United states and discoverer of man-bear-pig.  However, they both also sat on the board of Apple.  Thus, there are relationships between the people who are victims. 

You and I are not targets because most of my readers don’t know me personally, but neither are we important enough to be a victim of an attack.  But high level executives often know other high level executives (either within the same company or between other corporations) and that is where the trail leads back to a common connection.

To wrap things up, traditional malware analysis focuses on similarity between samples – this is so that researchers can attempt to predict what is next.  By contrast, APT analysis focuses on similarity between recipients – this is to predict who is next.

Interesting stuff.