Home Contact

M-unition

The Ammunition You Need to Find Evil and Solve Crime

About Us

Welcome to M-unition, the MANDIANT blog. Here we share our insights about the tools we create and use to find evil and solve crime.

M-Trends: Advanced Persistent Threat Malware

Written by Wendi Rafferty

There are a lot of reports in the news about the types of malware being utilized by the Advanced Persistent Threat (APT) attackers.  Our upcoming release of M-Trends will go into great detail about the types of malware, its capabilities, and how the attackers leverage a variety of malware throughout a breadth of victim organizations to accomplish very specific goals.   Over the next week, the MANDIANT blog will feature excerpts from our upcoming M-Trends report that illustrate just how difficult it is to identify APT techniques.

The most significant commonality of APT malware is that it hides in plain sight. It avoids detection by using common network ports, process injection and Windows service persistence.  Every piece of APT malware cataloged by MANDIANT initiated only outbound network connections.  No sample listened for inbound connections.  So, unless an enterprise network is specifically monitoring outbound network traffic for APT-related anomalies, it will not identify the APT malware outbound beaconing attempts.

A few of the most poignant stats about APT malware are listed below:

APT Malware:

  • Average File Size: 121.85 KB

Most Common APT Filenames:

  • svchost.exe (most common)
  • iexplore.exe
  • iprinp.dll
  • wiinzf32.dll

APT Malware avoids anomaly detection through:

  • Outbound HTTP connections
  • Process injection
  • Service persistence

APT Malware Communication:

  • 100% of APT backdoors made only outbound connections
    • 83% used TCP port 80 or 443
    • 17% used another port

Because APT malware is so difficult to detect, simple malware signatures such as MD5 hashes, filenames, and traditional anti-virus methods usually yield a low rate of true positives.  M-Trends will provide detailed information about how exactly organizations can posture themselves for success when fighting attackers with such specialized and sophisticated capabilities.

If you’d like to register for a copy of “M-Trends,” drop us a note at info(at)mandiant(dot)com otherwise, keep your eyes peeled to our blog  and http://www.mandiant.com for the official release of “M-Trends.”

Special Thanks to Peter Silberman, the MANDIANT malware analysis team, and product engineers for their work in developing this information.

Tags: , , ,

. 15 Jan 10 | General | Comments (0)

M-Trends: The Advance of the Persistent Threat

Written by Wendi Rafferty

The Advanced Persistent Threat (APT) is an advanced persistent reality!   It’s all over the news.  Everyone seems to be either talking about it or affected by it.  MANDIANT defines the APT as a group of sophisticated, persistent, and coordinated attackers that have been systematically compromising U.S. government and commercial computer networks for years.  The vast majority of APT activity observed by MANDIANT has been linked to China.

MANDIANT has over seven years experience conducting Advanced Persistent Threat (APT) intrusion investigations for the U.S. government, the defense industrial base and commercial organizations.  During that time, we’ve learned many things, and we want to share our lessons learned with the security community.  A team of our APT experts has been working diligently on a report that we call “M-Trends.”   M-Trends focuses on what the APT attackers do and how they do it.

Some highlights from “M-Trends” include:

  • The APT isn’t just a government problem; it isn’t just a defense contractor problem; and it isn’t just a military problem. The APT is everyone’s problem.
  • No target is too small, or too obscure, or too well-defended. No organization is too large, too well-known, or too vulnerable. It’s not spy-versus-spy espionage. It’s spy-versus-everyone.
  • Classic “prevent and detect” techniques do not effectively counter the APT. The attackers can easily defeat normal defenses. They successfully evade anti-virus software, network intrusion detection and under-equipped incident responders. They use sophisticated techniques to conceal their presence: hiding malware on their target’s own hosts and exfiltrating data in its own network traffic.   A staggering 100% of APT malware identified by MANDIANT made ONLY outbound connections from victim networks, 83% of which used TCP port 80 or 443.
  • The APT’s goals are twofold:
    • to steal information to achieve economic, political and strategic advantage.
    • to establish and maintain an occupying force in their target’s environment, a force they can call on at any time. When the APT wants additional data from a target, they don’t need to re-establish a presence. They simply call on their existing assets, locate, steal and exfiltrate the data they need.

We will introduce “M-Trends” at a launch party during the 2010 DoD Cyber Crime conference in St. Louis, MO.  The report authors will be there to answer your questions and share their knowledge.  If you’ll be in St. Louis stop by and see us on Wednesday, January 27 from 6- 9 in the Crystal Ballroom at the Renaissance Grand.

Register for a copy of “M-Trends” and keep your eyes peeled to our blog  and http://www.mandiant.com for the official release of “M-Trends.”

Tags: , ,

. 14 Jan 10 | General | Comments (0)

MANDIANT in Miami at the SCADA Security Scientific Symposium

Written by Kris Harms

On January 20th, I’ll be keynoting the SCADA Security Scientific Symposium (S4).  I’m lucky enough to escape the cold DC weather. Unfortunately Miami is also getting some of the coldest weather in its history, but it will be a great conference anyway. Thanks to Richard Bejtlich for putting Dale Peterson and me in touch.

My talk will discuss the Advanced Persistent Threat.  I will be walking attendees through APT intrusions from compromise to remediation.  Throughout the talk, I will provide a few demos and will dive deep into the forensic techniques our investigators use in the field.

I’ll even be showing a sneak peek of the M-TRENDS report that provides statistics and intelligence gathered by MANDIANT investigators on all Advanced Persistent Threat cases we have worked.  A lot of hard work has gone into developing this report and its data so it’s sure to enlighten even the most experienced APT investigators.  More on M-TRENDS to come so stay tuned to the blog and our website.

If you’re lucky enough to call Miami home, or will be at the [S4] conference, shoot me an email to talk shop while I am down there.   kris.harms (at) MANDIANT (dot) com

See you there!

Tags: , ,

. 09 Jan 10 | Conferences | Comments (0)

AFCEA Cyberspace 2010

Written by Helena Brito

Come chat with us next week at Defending America, CYBERSPACE 2010 Symposium, January 12-14, held at the Broadmoor Hotel in Colorado Springs, CO.

Between informational sessions on the latest cyberspace issues, stop by MANDIANT’s booth (#51) to speak with our knowledgeable staff and gain insight into how we differ in response to cyber security incidents. Don’t forget to grab a souvenir stress ball once we have answered all your questions!

Booth Staff:

• Kevin Albano – Consultant
• Michael J. Graven – Director
• Tim Treat – Program Manager

. 06 Jan 10 | General | Comments (0)

Broken Web Applications VM Version 0.9 Released

Written by Chuck Willis

As I mentioned in my previous post, I have been working on creating a Linux Virtual Machine containing a variety of vulnerable web applications. Just in time for the OWASP AppSec DC Conference, version 0.9 of the VM has been released!

You can find details about the VM on the project summary page on Google Code. You can also get the VM via the downloads page.

The VM is still a work in progress. I would like to add additional applications, especially those that use different application frameworks, but the applications that are there should work. I really hope that some people at the conference will get excited about the project and contribute some additional content that can be included on the 1.0 release.

If you would like to contribute some effort or a vulnerable application or just have some comments / criticism, I’d love to hear from you at chuck.willis (at) mandiant (dot) com.

I will be speaking about this project at the OWASP AppSec DC Conference. I hope to see you there!

Chuck

Tags: , ,

. 12 Nov 09 | Conferences | Comments (0)

WASC Web Application Security Statistics Published

Written by Chuck Willis

Thanks to Veracode’s Blog for pointing me to the Web Application Security Consortium (WASC) Web Application Security Statistics that were recently published.

Overall, I think that the paper has some very interesting data and statistics. As Chris Wysopal at Veracode pointed out, it provides some good evidence to back up the seemingly common sense idea that white box testing (where the testers have access to source code, design documents, and internal resources) is more likely to find certain issues than black box testing. I believe that this is the case for most, but not all, types of issues. Again, the study appears to support this notion by showing that some issues types (such as Insufficient Authorization) are more likely to be found by black box testing.

I think that this study validates the approach that Mandiant takes toward conducting web application assessments. We always try to convince our clients to let us use both black box and white box techniques. When combined, these approaches allow us to find and validate different types of issues in different ways and provide better coverage in less time. It also allows us to easily eliminate false positives through manual testing.

A couple words of caution when reading the WASC paper, however. First, the titles of some of the tables and graphs are correct, but could be misinterpreted. For example, P. 9 is titled “The probability to detect the most risky vulnerabilities in Web applications (% Sites BlackBox & WhiteBox)”. What this figure is showing is the percentage of web sites tested with the different techniques which were found to have the issue shown, not the likelihood of actually detecting the issue if it exists.

So, it could be that only 44% of the sites subjected to white box testing had Credential/Session Prediction issues, in which case the white box technique was “perfect”. It could also be that 88% of those sites had the issue and the white box technique only found half of them. In all, this study did not appear to look at “false negatives” in determining what issues were missed, which is understandable since that is very difficult to account for in a study of this type.

The other word of caution I would propose is that there is no mention at all in the document of false positives, making it unclear how many of the findings included in the study were real issues in the sites tested. False positives can be very common when using automated processes, including external web application scans and source code scans. I would expect that the black box statistics in the paper would have accounted for false positives to some degree since manual effort was included, but that is just an assumption.

In summary, a great study with some good numbers, but I’d take them all with a grain of salt and use them as trends and ballpark figures rather than as ground truth.

Chuck

Tags: , , , , ,

. 02 Nov 09 | Thoughts | Comments (0)
« Previous Posts
Next Posts »