Home Contact

M-unition

The Ammunition You Need to Find Evil and Solve Crime

About Us

Welcome to M-unition, the MANDIANT blog. Here we share our insights about the tools we create and use to find evil and solve crime.

Fresh Prints of Mal-Ware: Choose Your Own Adventure!

Written by Christopher Glyer

Kyle Dempsey and I have been busy putting together content for the upcoming Fresh Prints webinar, “Choose Your Own Adventure,” being held this Thursday, April 15th at 2PM EDT. If you thought of the Choose Your Own Adventure® book series when you saw the title, you understand where we’re going with this.
 
This webinar’s content was developed based on feedback we received from registrants, specifically:

  • How does MANDIANT “Find Evil”
  • Malware internals

 
After gathering responses, what we found was that people know the basics about the APT – and what they are most interested in knowing is how our consultants go out in the field and actually find the attackers.
 
I have seen some presentations pop-up that speak at a high level on this threat, but they always stop short of showing you how the attackers compromise an organization’s network or how an investigation was conducted. Kyle and I wanted to create a webinar that showed how we actually conduct an investigation (tools used, screenshots of results…etc.) using real client data (used with their permission).
 
The webinar details what we would do with traditional drive based forensics to find malware and contrasts it with real examples of using an approach that scales to an enterprise environment with tens of thousands of hosts (without using an army of investigators and imaging every system under the sun).
 
I hope you can join us Thursday for the webinar. As always, there will be plenty of time at the end of the presentation for Q&A.

Tags: , , ,

. 14 Apr 10 | General | Comments (0)

Blackhat Europe, State Of Malware: Family Ties

Written by Peter Silberman

Ero and I will be in Barcelona presenting at Blackhat Europe 2010. Our talk is called State of
Malware: Family Ties. This talk focuses on malware families.  We thought about interesting research we could do in the same vein as our last talk, State of Malware: Explosion of the Axis of Evil. We decided to look at malware families.
 
There’s a lot to gather from malware families, from a mass malware perspective looking at conficker, bagel, waldeac, storm worm, rustock, etc. Equally important is examining APT families. MANDIANT tracks over 20 different families. Each family means something different to us. When we see one family at a client site, we might immediately pull Indicators of Compromise (IOC) for other APT families that are closely related. If we find another group, we might quickly start figuring out what was exfiltrated because we know that group and its actors are solely there to move information out. A lot can be extracted from the families we track and that is why clustering malware into families from a targeted perspective is so important.
 
Ero and I wonder about a few things:

  • Do mass malware families share enough common attributes across families? Example, does conficker share code with waledac? If so, is it enough so that we could consider them members of a sub family. Also maybe proving they were written by the same author(s) or group of authors.
  • Do mass malware families share code amongst APT samples? Example, this could mean that we find samples of subseven that match some of our APT backdoors (again just an example).

 
These two questions alone are very interesting because the results could indicate some author of a mass malware sample is also authoring malware for targeted attacks.
 
But we didn’t stop there. We also wondered:

  • Do rootkits from rootkit.com have very high similarities to rootkits found by MANDIANT and out in the wild?
  • Do APT samples of family A share enough in common to be also classified as part of family B? We can draw a lot of interesting conclusions if this is the case.

 
These are all interesting questions, but we had a lot of disappointments when doing the research and some ah ha moments where we thought about theories and realized why some wouldn’t be true. We also had some finds that we were surprised with, specifically regarding APT. We’ll be sharing the results on April 14th at 4:45. It should be fun. Our talk has a lot of diagrams, a lot of IDA screen shots, and a great video that Ero made.
 
If you can’t make it to Barcelona, we will be posting our slides and a follow up blog post. Stay tuned! I also have recently updated the slides for Advanced Memory Forensics in Incident Response for Black Hat USA to include an APT case study and a ton of additional information on observing the behavior of malware in memory.

Tags: , , ,

. 12 Apr 10 | Conferences, General | Comment (1)

State of the Hack Webinar – Thursday March 11th

Written by Christopher Glyer

Michael J. Graven and I will be presenting MANDIANT’s State of the Hack webinar titled “Silent But Deadly” this Thursday, March 11th at 2PM EST.

I’ve had the opportunity to lead a number of MANDIANT’s APT investigations recently, and am looking forward to sharing some of my experiences with our audience. One common thread in many of the investigations I have worked is that the APT will use simpler malware, methods, and techniques – until it no longer works and they are forced to break out something a little more advanced from their arsenal.

The attackers will use more sophisticated methods as needed, and can get incredibly advanced and inventive and just “disappear” from the radar of responders if they really have to.  There has been a lot of chatter on the Internet lately about recent attacks and how the malware and the Command and Control channels aren’t very sophisticated.  But why use sophisticated techniques if you don’t have to?

Think about it – if you are a car thief and the car you are going to steal is not locked and has the key in the ignition – why pick the lock and hotwire the car? It doesn’t mean that the thief can’t pick the lock; it just means they don’t need to.  That same thief may be capable of breaking in to a car that has a locked door, a car alarm, the club, and low-jack – and still get away with it if they are advanced enough and really want the car bad enough (think “Gone in 60 seconds“) .  We have seen everything from the very simple – placing malware in a user’s start-up folder (yes, I actually saw this on one of my engagements) – to the pretty advanced – malware that dropped an NDIS driver capable of monitoring and modifying network traffic at the kernel level, implementing its own TCP/IP stack in the kernel, and providing remote access to a machine that would bypass host-based firewalls, IPS…etc.

During the webinar we will talk about the techniques the attackers use and will go into more depth on a few of the case studies in our recently released M-Trends report.

Oh, and you may be asking yourself what the link is between the name of the webinar “Silent But Deadly”, and what we will be discussing.  We have seen evidence of the APT active and undetected in many victim networks for very long periods of time – up to years in some cases.  Hence, the “silent”.  And, while the result of these prolonged intrusions may not be deadly, they can often be costly, which is very bad for business.

We hope to see you on Thursday!

Tags: , , , ,

. 09 Mar 10 | General | Comments (0)

M-Trends: Advanced Persistent Threat Malware

Written by Wendi Rafferty

There are a lot of reports in the news about the types of malware being utilized by the Advanced Persistent Threat (APT) attackers.  Our upcoming release of M-Trends will go into great detail about the types of malware, its capabilities, and how the attackers leverage a variety of malware throughout a breadth of victim organizations to accomplish very specific goals.   Over the next week, the MANDIANT blog will feature excerpts from our upcoming M-Trends report that illustrate just how difficult it is to identify APT techniques.

The most significant commonality of APT malware is that it hides in plain sight. It avoids detection by using common network ports, process injection and Windows service persistence.  Every piece of APT malware cataloged by MANDIANT initiated only outbound network connections.  No sample listened for inbound connections.  So, unless an enterprise network is specifically monitoring outbound network traffic for APT-related anomalies, it will not identify the APT malware outbound beaconing attempts.

A few of the most poignant stats about APT malware are listed below:

APT Malware:

  • Average File Size: 121.85 KB

Most Common APT Filenames:

  • svchost.exe (most common)
  • iexplore.exe
  • iprinp.dll
  • wiinzf32.dll

APT Malware avoids anomaly detection through:

  • Outbound HTTP connections
  • Process injection
  • Service persistence

APT Malware Communication:

  • 100% of APT backdoors made only outbound connections
    • 83% used TCP port 80 or 443
    • 17% used another port

Because APT malware is so difficult to detect, simple malware signatures such as MD5 hashes, filenames, and traditional anti-virus methods usually yield a low rate of true positives.  M-Trends will provide detailed information about how exactly organizations can posture themselves for success when fighting attackers with such specialized and sophisticated capabilities.

If you’d like to register for a copy of “M-Trends,” drop us a note at info(at)mandiant(dot)com otherwise, keep your eyes peeled to our blog  and http://www.mandiant.com for the official release of “M-Trends.”

Special Thanks to Peter Silberman, the MANDIANT malware analysis team, and product engineers for their work in developing this information.

Tags: , , ,

. 15 Jan 10 | General | Comments (0)

M-Trends: The Advance of the Persistent Threat

Written by Wendi Rafferty

The Advanced Persistent Threat (APT) is an advanced persistent reality!   It’s all over the news.  Everyone seems to be either talking about it or affected by it.  MANDIANT defines the APT as a group of sophisticated, persistent, and coordinated attackers that have been systematically compromising U.S. government and commercial computer networks for years.  The vast majority of APT activity observed by MANDIANT has been linked to China.

MANDIANT has over seven years experience conducting Advanced Persistent Threat (APT) intrusion investigations for the U.S. government, the defense industrial base and commercial organizations.  During that time, we’ve learned many things, and we want to share our lessons learned with the security community.  A team of our APT experts has been working diligently on a report that we call “M-Trends.”   M-Trends focuses on what the APT attackers do and how they do it.

Some highlights from “M-Trends” include:

  • The APT isn’t just a government problem; it isn’t just a defense contractor problem; and it isn’t just a military problem. The APT is everyone’s problem.
  • No target is too small, or too obscure, or too well-defended. No organization is too large, too well-known, or too vulnerable. It’s not spy-versus-spy espionage. It’s spy-versus-everyone.
  • Classic “prevent and detect” techniques do not effectively counter the APT. The attackers can easily defeat normal defenses. They successfully evade anti-virus software, network intrusion detection and under-equipped incident responders. They use sophisticated techniques to conceal their presence: hiding malware on their target’s own hosts and exfiltrating data in its own network traffic.   A staggering 100% of APT malware identified by MANDIANT made ONLY outbound connections from victim networks, 83% of which used TCP port 80 or 443.
  • The APT’s goals are twofold:
    • to steal information to achieve economic, political and strategic advantage.
    • to establish and maintain an occupying force in their target’s environment, a force they can call on at any time. When the APT wants additional data from a target, they don’t need to re-establish a presence. They simply call on their existing assets, locate, steal and exfiltrate the data they need.

We will introduce “M-Trends” at a launch party during the 2010 DoD Cyber Crime conference in St. Louis, MO.  The report authors will be there to answer your questions and share their knowledge.  If you’ll be in St. Louis stop by and see us on Wednesday, January 27 from 6- 9 in the Crystal Ballroom at the Renaissance Grand.

Register for a copy of “M-Trends” and keep your eyes peeled to our blog  and http://www.mandiant.com for the official release of “M-Trends.”

Tags: , ,

. 14 Jan 10 | General | Comments (0)

MANDIANT in Miami at the SCADA Security Scientific Symposium

Written by Kris Harms

On January 20th, I’ll be keynoting the SCADA Security Scientific Symposium (S4).  I’m lucky enough to escape the cold DC weather. Unfortunately Miami is also getting some of the coldest weather in its history, but it will be a great conference anyway. Thanks to Richard Bejtlich for putting Dale Peterson and me in touch.

My talk will discuss the Advanced Persistent Threat.  I will be walking attendees through APT intrusions from compromise to remediation.  Throughout the talk, I will provide a few demos and will dive deep into the forensic techniques our investigators use in the field.

I’ll even be showing a sneak peek of the M-TRENDS report that provides statistics and intelligence gathered by MANDIANT investigators on all Advanced Persistent Threat cases we have worked.  A lot of hard work has gone into developing this report and its data so it’s sure to enlighten even the most experienced APT investigators.  More on M-TRENDS to come so stay tuned to the blog and our website.

If you’re lucky enough to call Miami home, or will be at the [S4] conference, shoot me an email to talk shop while I am down there.   kris.harms (at) MANDIANT (dot) com

See you there!

Tags: , ,

. 09 Jan 10 | Conferences | Comments (0)
« Previous Posts