Sunday, January 31, 2010

Who are the APT targets?

I've been publicly quiet on the whole APT discussions as of late, with good reason. There are lots of blogs out there which share (and do not share) my opinion, so there is no need for me to chime into the myriad of voices out there.

However, an anonymous comment on one of the recent taosecurity posts brought up a point that I have not seen anyone else talk about. The comment stated:

Reading the Mandiant Report, we see:

1.) Government
2.) Defense Contractors
3.) Fortune XXX acquiring a Chinese compnay
4.) A Law Firm involved in a Chinese civil litigation case
5.) A non-profit trying to spread "democracy and free enterprise in China" (maybe they could also do that in the USA).

Look, it doesn't take Arthur Conan Doyle to piece together the storyline here. This clearly isn't "everyone's problem". It's a problem for those that are seen as an enemy of certain nation-states.
The part I'd like to focus on is the last statement. The APT problem is not only the problem of those seen as the enemy of certain nation states. It is the problem of everyone.

If you read Mandiant's excellent report, you will see specific examples (mentioned in the comment above) which are documented APT targets. Yes, these are what you think of as nation-state attack targets.

However, I have personally seen the APT attack and compromise systems in networks which have no ties to that nation-state and you would not consider enemies of that nation-state (or any for that matter). In these cases, the organizations were small-medium sized companies whose systems were compromised in order to be used as command and control systems for the APT's backdoors.

Of course, there are those that will say that this is the same technique that all attackers use - compromise less secure systems and use them as a go-between to attack other systems. And I will 100% agree with them on that! But that re-enforces my point as well! No one is safe from attack from APT and therefore there should be no reason why organizations should not take every reasonable precaution to against these (or any) attackers and learn as much as they can.

Yes, there will be those companies that use the term APT as a marketing tool. Yes, there will be those who say this is a limited threat to some organizations (and to some extent I agree with that). But in the end, it is a real threat that exists and any organization that does not perform the due diligence to at least learn about the potential threat will be at a disadvantage when they do get attacked; maybe not by the APT but by the next threat.

Thursday, January 21, 2010

Funky Ivy

I was testing out some functionality with the Poison Ivy backdoor today when I grabbed this screenshot. Very psychedelic!

Tuesday, January 12, 2010

Malware Analysis in the Incident Response Process followup

I just finished giving my webcast of Malware Analysis in the Incident Response Process at A few questions came in after the presentation ended so I'll answer them here and hopefully those who asked will see it.

You indicated it is inevitable to get malware. What is the best prevention…having dedicated PCs for missions critical functions (e.g. online banking)?

I honestly believe that the best way to prevent getting malware on systems is to run users with reduced privileges. I have seen first hand where restricting what activities a user can do on their system (install software, etc) will significantly decrease the amount of malware compromises you have.

Of course, there are other options as well. A good defense in depth strategy will make it more difficult for malware to compromise your systems. Using up-to-date AV on the desktop and your email systems, restricting Internet access and requiring all web-traffic to go through filtering proxy servers will help.

Are there any books you would recommend for beginners to learn malware analysis?

There are lots of great books out there that I would recommend to anyone who wants to learn malware analysis. The following are just a few of the ones I've read.

Malware Forensics by Aquilina, Casey and Malin
The Art of Computer Virus Research and Defense by Peter Szor
Malware: Fighting Malicious Code by Skoudis and Zeltser

There are others, but these are a good start.

Can you post a recent example of an analysis?

Unfortunately, I do not have one. However, I recommend checking out the results from the 2008 Malware Challenge for some analysis reports. I will also try to post something in the next few weeks.

Thanks to those who listened to the webcast. If you have any other questions, feel free to post them in the comments or send me an email!

Friday, January 8, 2010

Malware Analysis in the Incident Response Process

Next week I'll be giving an online presentation at BrightTalk on Malware Analysis in the Incident Response Process. The description of the talk is:
Malware has become the primary vector of compromise within organisations. Due to this, it has become necessary for incident response teams to have the ability to perform in-house malware analysis. This presentation will discuss how malware analysis can benefit an organisation and what options are available.
The talk is scheduled for next Tuesday, January 12 at 6PM EST and is part of their Intrusion Prevention Summit. The summit has alot of interesting talks all day, so I recommend checking it out.

To attend my talk, you can go to the following URL:

Hope you can join!