M-Trends: Advanced Persistent Threat Malware
Written by Wendi Rafferty
There are a lot of reports in the news about the types of malware being utilized by the Advanced Persistent Threat (APT) attackers. Our upcoming release of M-Trends will go into great detail about the types of malware, its capabilities, and how the attackers leverage a variety of malware throughout a breadth of victim organizations to accomplish very specific goals. Over the next week, the MANDIANT blog will feature excerpts from our upcoming M-Trends report that illustrate just how difficult it is to identify APT techniques.
The most significant commonality of APT malware is that it hides in plain sight. It avoids detection by using common network ports, process injection and Windows service persistence. Every piece of APT malware cataloged by MANDIANT initiated only outbound network connections. No sample listened for inbound connections. So, unless an enterprise network is specifically monitoring outbound network traffic for APT-related anomalies, it will not identify the APT malware outbound beaconing attempts.
A few of the most poignant stats about APT malware are listed below:
APT Malware:
- Average File Size: 121.85 KB
Most Common APT Filenames:
- svchost.exe (most common)
- iexplore.exe
- iprinp.dll
- wiinzf32.dll
APT Malware avoids anomaly detection through:
- Outbound HTTP connections
- Process injection
- Service persistence
APT Malware Communication:
- 100% of APT backdoors made only outbound connections
- 83% used TCP port 80 or 443
- 17% used another port
Because APT malware is so difficult to detect, simple malware signatures such as MD5 hashes, filenames, and traditional anti-virus methods usually yield a low rate of true positives. M-Trends will provide detailed information about how exactly organizations can posture themselves for success when fighting attackers with such specialized and sophisticated capabilities.
If you’d like to register for a copy of “M-Trends,” drop us a note at info(at)mandiant(dot)com otherwise, keep your eyes peeled to our blog and http://www.mandiant.com for the official release of “M-Trends.”
Special Thanks to Peter Silberman, the MANDIANT malware analysis team, and product engineers for their work in developing this information.
Tags: Advanced Persistent Threat, APT, M-Trends, malware analysis
. 15 Jan 10 | General | Comments (0)
Flex your Memory Forensic skills at CEIC!!!
Written by Peter Silberman
MANDIANT will be at this year’s Computer Enterprise Investigation Conference (CEIC). I will be there as well running a contest for incident responders. The contest is designed to test your ability to identify malware in memory. We have all heard of the Advanced Persistent Threat, we know the acronym APT. If you’re not familiar with APT or want to become more familiar check out https://cc.readytalk.com/cc/schedule/display.do?udc=1s8rbdxuuzuf7.
But how many of us have seen these cute cuddly creatures on live systems or in dead memory? This is your opportunity to come see if you can find the malware of an actual APT incident as well as some other incident of my own creation.
The contest will run two days and kick off Monday, May 18 at 9:45 a.m. The contest will work as follows: you will be given access to a virtual machine (VM). This VM will be pre-loaded with Audit Viewer and Memoryze. Audit Viewer will already have the audits needed to solve the incident loaded, which will cut down on the time needed at the station. You will have 10 minutes to go through the results of the audit and answer a set of four to five questions. At minutes 4, 6, and 8 you can ask for hints. If you answer three more of the questions on the first day you are eligible to compete on the second day. The second day will work the same. One of these two days will contain actual APT malware taken from an incident we responded too. The contest is designed to simulate what we see on a daily basis and to help attendees learn more about finding malware in memory. The prize will be an iLive IP908B 9″ Portable DVD Player With iPod® Dock And Swivel Screen.
If you are wondering how to prepare for the contest, we recommend you read the Audit Viewer user guide included in Audit Viewer. You should understand the data displayed by Audit Viewer and how to navigate/search Audit Viewer results. You will not have to run Memoryze as all the data you need to solve the case will be preloaded into Audit Viewer. We will have an Audit Viewer training slide deck running at the contest so you can if you’d like cram prior to the competition but as one of my college professors might have said “cramming is not recommended.”
You may say, “well I don’t have much memory analysis experience.” That does not matter! Stop by the booth, I will be there to walk through how to do memory forensics on 15 or so unique memory images. Each memory image is a different type of malware or scenario. All our demonstrations will utilize MemScript, which is a FREE EnCase script written by Kelcey Tietjen that integrates memory analysis into EnCase. This is a great chance to come and learn something new. And, as always, if you have questions about previous talks we’ve given or upcoming research you’ve read about, I’ll be more than happy to chat about those as well. So stop by, watch others compete, come and see the big red box, talk memory, APT, fluffy bunnies and more.
Hope to see you there!
Tags: APT, Audit Viewer, Encase, malware analysis
. 11 May 09 | General | Comments (0)
Article on how to use Memoryze and Audit Viewer for malware analysis
Written by Peter Silberman
I know not everyone reads OpenRCE, but it has been a favorite haunt of mine since Pedram launched it. Over the holiday, I posted an article there about how to use Memoryze and Audit Viewer to do malware analysis since that has always been one of my hobbies.
See Memoryze Memory Forensics Tool at OpenRCE.
NOTE: John O. pointed out that having spaces in your path where Memoryze was installed may prevent Audit Viewer from launching Memoryze because of how batch scripts’ input is interpreted. If you install Memoryze in a path with no spaces you should be fine.
Thanks to Pedram for helping with the post to OpenRCE and to Danny Quist at Offensive Computing for his blog entry.
Tags: Audit Viewer, malware analysis, Memoryze, offensive computing, openrce
. 01 Dec 08 | General | Comments (0)
Recent Posts
- State of the Hack Webinar – Thursday March 11th
- Malware Behaving Badly: Preview
- Audit Viewer: Malware Rating Index Undocumented Features and Caveats
- Combat the APT by Sharing Indicators of Compromise
- DOD Cyber Crime: New Audit Viewer/Memoryze
Follow us on Twitter
- Mandiant: 1 hour left to register for MANDIANT's State of the Hack: Silent But Deadly webinar Today @ 2pm EST http://bit.ly/cKw0ba
- Mandiant: 3 hrs left to register for MANDIANT's State of the Hack: Silent But Deadly webinar Today @ 2pm EST http://bit.ly/cKw0ba
- Mandiant: 4 hrs left to register for MANDIANT's State of the Hack: Silent But Deadly webinar Today @ 2pm EST http://bit.ly/cKw0ba