Introducing Ransomware

27 03 2013

I am guilty of not regularly following malware scam security threats, it seems most can be easily prevented and are typically trigged by user actions.   However,   a new variant has recently surfaced that is interesting as it leverages both technical and emotional measures to exploit money.     That variant is Ransomware which display’s a message that a user’s PC is locked due to a crime they committed and payment must be issued prior to resuming use of the PC.

Symantec has created a detailed white paper on this new threat which estimates yearly revenue from the ransomware in excess of $5 million dollar. And even more suppressing approximately 3 out of every 100 users receiving the message pay the fine.     That begs the question, how are so many people fooled by a virus and willing giving pay the malware creator?

To start with, let’s look at examples of messages shown to potential victims:




While the success of the first message of seems very unlikely based on the overall structure of the page, wording and how to pay.    However, the second message contains mock FBI branding,   web cam picture snap shot,   and a fairly open description of the crime.    While some details of the message are overly specific and highly offensive to the mass population, a final comment adds files accessed with/without knowledge due to a virus   This is likely how the malware developers have been successful, creating a feeling of guilt in the user for downloading an illegal pirated song or the possibility a virus has downloaded something worse.

In addition to use in the private sector,   is it really impossible for a government to employee malware based tools for a minor infraction such as a pirated song or downloading a movie still in theaters?     Looking into this further, Kaspersky has published a detail report of governments creating malware for espionage against other governments and organizations.  In addition, there are confirmed reports of governments such as Germany using malware to spy on their own citizens.

It seems both ransomware and government adoption of malware are clear emerging patterns, the question becomes will these to paths intersect?  Will ransomware be the next product governments look to adopt, creating the real possibility of automated enforcement of FBI cybercrimes?









Anti-detection and anti-analysis techniques of modern malware – are they stumping security researchers?

4 10 2012

Modern malware have been evolving to such an extent that it is difficult for security researchers to keep up with them. Most anti-virus solutions depend largely on signature-based scanning and some form of heuristic-based detection. However, there is no doubt that creating signatures for every single malware is similar to a catching game where the good guys are always behind. The total number of unique malware variants jumped from 286 million in 2010 to 403 million in 2011 [1], a staggering 40% increase. For every new virus or worm that is discovered, many machines would have already been infected while the anti-virus vendors are still frantically trying to analyze the malware and release new definitions to their customers.

Malware writers are aware of this fact and have been incorporating advanced techniques to further delay the detection and analysis of their malware. One of the most commonly used methods is polymorphism, whereby the malware constantly mutates its own code to bypass signature-based anti-virus scans, but still retaining the malicious payload. This is typically achieved through encryption with varying keys, compression and filename changes [2]. Although polymorphic malware have been around since the early 1990s, the good news is that most modern anti-virus software can detect them with a decent probability [3] – usually by looking at the portion of the malware that does not change. However, cybercriminals have already found a way to bypass this – through a variation called “server-side polymorphism”. In this case, the malware is hosted on the attackers’ server, allowing them to generate a unique version for every potential victim each time the malware is downloaded. [4] This essentially renders pattern-matching useless since no two version of the malware is the same.

More alarmingly, a new form of attack called Domain Generation Algorithms (DGA) has manifested itself in new-generation malware. Popularized by the Conficker worm in 2008, DGA malware contains code that allows it to receive commands from remote locations. [5] Each day, the malware will generate a new list of domain names and try to contact all these locations for an update. Since the malware author knows the algorithm, all he needs to do is register one of the domains and host the update on that site. This makes the job of cyber law-enforcement officers extremely difficult since they have to shut down all possible domains to prevent the update while the attacker only needs to use a single domain. [6] Furthermore, signature-based detection will be irrelevant since the update from the remote site will be able to modify the malware source-code and behavior. [7]

In response, malware researchers have turned to advanced techniques to analyze modern viruses. This includes sandbox testing, emulation and using virtualization technologies. They confine the malware to a restricted environment so as to limit its actions, allowing a more effective analysis and reverse-engineering of the malware.

Unfortunately, it seems that even so, cybercriminals have found ways to circumvent the analysis techniques of researchers. Recent years have seen a rise of anti-virtual machine malware (or VM-aware malware), which can distinguish whether it is present in a virtual machine or a real environment. If such malware recognizes that it is being run in a VM, the malware will feign benign behavior and not release its payload. [8]

Like a cat-and-mouse game, the white hat community has yet again formulated possible solutions against such malware. In the recent 2012 BlackHat Conference, three researchers presented their findings on anti-VM, anti-debugging and anti-disassembly techniques used by malware. [9] They analyzed more than four million malware samples and in doing so, created a malware sample database with an open architecture. This allows other researchers around the world to see the results of the analysis, as well as develop and plug-in new analysis capabilities.

Some experts have also claimed that the more evasive a malware tries to become, the greater chances that it will gain unnecessary attention due to its over-innovative methods. [10] This is because even with anti-VM and anti-debugger features, researchers thus far have still been able to bypass the evasion techniques and deconstruct such malware.

However, it is only a matter of time before malware authors invent new ways to work around the efforts of security researchers. It is true that the white hats might have the right solution for a while, but there can be no silver bullet for malware, or any issue pertaining to the IT security industry. The only solution is to be ever vigilant and be as agile and adaptive as the black hats are.


[1] Symantec Internet Security Threat Report 2011. Rep. no. 17. Symantec, Apr. 2012. Web.

[2] Rouse, Margaret. “Polymorphic Malware.”, Apr. 2007. Web. 04 Oct. 2012. <;.

[3] Cluley, Graham. “Server-side Polymorphism: How Mutating Web Malware Tries to Defeat Anti-virus Software.” Naked Security, 31 July 2012. Web. 04 Oct. 2012. <;.

[4] See [1].

[5] Markoff, John. “Worm Infects Millions Of Computers Worldwide.” The New York Times. The New York Times, 23 Jan. 2009. Web. 04 Oct. 2012. <;.

[6] Constantin, Ucian. “Malware Authors Expand Use of Domain Generation Algorithms to Evade Detection.” IDG News Service, 27 Feb. 2012. Web. 04 Oct. 2012. <;.

[7] Ollmann, Gunter. “Domain Generation Algorithms (DGA) in Stealthy Malware.” Domain Generation Algorithms (DGA) in Stealthy Malware «. Damballa, n.d. Web. 04 Oct. 2012. <;.

[8] Sun, Ming-Kung, Mao-Jie Lin, Michael Chang, Chi-Sung Laih, and Hui-Tang Lin. “Malware Virtualization-Resistant Behavior Detection.” 2011 IEEE 17th International Conference on Parallel and Distributed Systems (2011): 912-17. IEEE. Web. 4 Oct. 2012.

[9] Branco, Rodrigo Rubira, Gabriel Negreira Barbosa, and Pedro Drimel Neto. Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti-VM Technologies. Tech. Qualys – Vulnerability & Malware Research Labs, 2012. Web. 4 Oct. 2012. <;.

[10] Mushtaq, Atif. “The Dead Giveaways of Vm-Aware.” FireEye, 27 Jan. 2011. Web. 04 Oct. 2012. <;.

Trojan.Taidoor: A Modern Chinese APT

23 09 2012

“We must use all types, forms, and methods of force, and especially make more use of nonlinear warfare and many types of information warfare methods … to use our strengths in order to attack the enemy’s weaknesses, avoid being reactive, and strive for being active.” [1]

In 1995, China’s Major General Wang Pufeng stated the nation’s position on information warfare and it was clear that China was willing to utilize technology as an attack vector. This statement was made 14 years before USCYBERCOM was established to “ensure US and allied freedom of action in cyberspace, while denying the same to [their] adversaries” [2]. USCYBERCOM’s mission statement is essentially a more subtle version of Major General Wang’s declaration stated much further into the future, only delivered much later.

China has viewed cyberwarfare and advanced persistent threats (APT) as a direct means of militaristic defense and offense since the late 1990s and grew to utilize cyber attacks to steal information and “leapfrog” [1] Western innovations and advancements. Today, China is not only behind or suspected of being behind cyber espionage operations, many organized Chinese groups have been responsible for politically-motivated attacks against Taiwan, Tibet, and the United States to name a few.

In 2011, a series of attacks named Trojan.Taidoor restructured their 3 year-old strategy. Trojan.Taidoor, more commonly known as Taidoor, began focusing on attacking think tanks involved with US and Taiwanese affairs and the private sector rather than a set of unrelated organizations. (Fun fact: Taidoor=台门 = door into Taiwan) 2011 also saw an influx in frequency of attacks including a peak in September 2012 when the US-Taiwan Defense Industry Conference was held [6].

Taidoor’s technical specifications include the expected email attacks as the breach component where some are specially crafted for specific targets and others are more generalized phishing attempts [5]. Once Taidoor’s targets open attachments in the attack emails, which are generally in xls, scr, pdf, or doc formats, a dropper is created in the target’s file system. The dropper then replaces it with the malicious back door and continues onto the final payload [4]. From there, Taidoor’s back doors communicate with the command & control servers generally located near the attacker to reduce suspicion.

However, despite Taidoor’s seemingly more focused attacks since 2011, their motivations remain unclear and it does not appear that any security firms have identified exactly what the attackers behind Taidoor do with compromised information. When Symantec traced the activity of Taidoor’s command & control servers, they found that the attackers engaged in live interactive sessions to traverse the compromised machine. The attackers seem to make attempts to find valuable documents without any clear methodology or strategy [5], a common trend in many APTs. While some APTs utilize zero-day vulnerabilities, several major Chinese APTs including Taidoor only exploit known Adobe or Microsoft vulnerabilities. As such, attackers can be fairly certain that their victims are not the most technologically advanced given their negligence to patch extremely vulnerable software.

Taidoor’s frequency, targets, and technical details are similar to many other instances of cyberwarfare and espionage linked to China such as Luckycat. Today, China has been identified as the source of many attacks similar to Taidoor where the primary goals are to steal information or to gain competitive edge against other nations. China has an extensive past of recognizing the power of cyberwarfare and today we see the products of that history.

“Red Hackers” or “Chinese Honkers” [3], as media outlets have named them, are some of the most active members of the global cyberespionage and hacker communities and there seems to be no end in sight to their or any other nation’s cyberwarfare activities. In conjunction with ever-advancing technology, cyberwarfare is undoubtedly an area demanding increased attention.



[2] “U.S. Department of Defense, Cyber Command Fact Sheet”. 21 May 2010. 9 Sept. 2012. <;.

[3] Hille, Katherine, and Joseph Menn. “Hackers in frontline of China’s cyberwar.” Financial Times. N.p., 13 Jan. 2010. Web. 9 Sept. 2012. <>.

[4] “The Taidoor Campaign: An In-Depth Analysis.” Trend Micro. Trend Micro Incorporated, 23 Aug. 2012. Web. 10 Sept. 2013. <>.

[5] “Trojan.Taidoor takes aim at policy think tanks .” Symantec Security Response. N.p., 27 Mar. 2012. Web. 9 Sept. 2012. <>.

[6] Doherty, Stephen, and Piotr Krysiuk. “Trojan.Taidoor: Targeting Think Tanks.”Symantec. Symantec Security Resopnse, n.d. Web. 9 Sept. 2012. <>.

Transnational Organized Crime and Internet Fraud

30 07 2012

Over the past decade the internet has accelerated as a prime tool for transnational organized crime (TOC) to commit fraud.  The internet is a great haven for TOC to commit crime against a great number of victims, from just about any point on the globe,  with limited chance of prosecution (Cukier).  It is user demand for online financial account access which has fueled organized crime to aggressively invest in technological tools and relationships, to intercept this financial data for their own gain (Smith), all the while building a most efficient business machine.

Following we discuss the technical tools, business strategies, and current trends, as they relate to fraudulent activity within the boundaries of the world wide web.

Technical Tools

It follows that organized crime has driven malware development and distribution to infect computer systems worldwide.  While our focus here is on fraudulent activity, malware is indeed used for a greater number of purposes.

Malware is ‘any malicious software, script or code developed or used for the purpose of compromising or harming information assets without the owner’s informed consent’ (Verizon).  It’s popularity is likely due to an attacker’s desire to stay in control of a system after gaining access, and it’s successful use in high volume automated attacks. (Verizon).

We define ‘crimeware’, a subcategory of malware, as ‘software that performs illegal actions unanticipated by a user running the software, which are intended to yield financial benefits to the distributor of the software’ (Smith).  Hence, crimeware used for fraudulent purposes involves the acquisition of personal private information for one’s own use, or the resale of personal information or access to a computer system to a second party (Smith).

Crimeware is distributed via many techniques, including social engineering exploits, content injection attacks, software vulnerabilities, and software downloads.  Two basic types of crimeware are utilized for data information theft (Smith):

1.  System reconfiguration crimeware

Here the code runs one time and alters a system configuration, leading the user system to send off data to a server without requiring software to remain on the system.

2.  Resident crimeware

Here the code remains on the system while collecting user information and sending it to a site accessible to the attacker.  Two components are typical: A sending component on the user’s computer and a receiving component on an external server used for data collection.  The sending component assembles data from the execution of crimeware (via web Trojan, key or screenlogger) and sends data outbound.  Transmission occurs via different systems: Email to a fixed location (typically a free email account set up by the attacker); data sent over a chat channel, such as an IRC channel, which the attacker monitors; data sent over a TCP/IP to a data collection server, or servers, accessible to the attacker.

Malware is a vital tool used to gain, and potentially maintain access to a computer system, with the possible objective to accumulate confidential, personal data. In addition, we can add that the way in which malware is deployed can assist attackers to avoid detection, and maintain their presence on a system.  For instance, multiple variants of one specific malware code may be used, and each in limited applications.  A ‘long tail approach’ can be used  (Liston).  Instead of infiltrating a large number of systems with small amounts of code, a large number of malware variants are used to hide evidence of a malware ‘outbreak’.  Additionally, malware communication may be limited to ways that follow typical user behavior, and system resources can be used sparingly so as not to raise any flags.

One last item here: the sheer number of malware code in existence today is considered ‘the ultimate weapon’ (Liston).  Antivirus analysts cannot keep up with the number of signatures needed to keep systems free and clear of known malware code, not to mention worry about the malicious code still unknown, running undetected.

Business Model

The TOC business model is one which takes advantage of the strengths of technology such as malware, as well as the weaknesses of system users.

1.  Cartel-like business structure.  The TOC model has been compared to a cartel-like model (Berinato).  A shift to a layered service organization disseminates risk of all involved. Services are doled out to various players, from malware developer, malware distributor, and middlemen who sell temporary ‘access’ to infected systems.  The buyers who ultimately intercept and withdraw personal data from a system are far removed from the initial players.

2. Keeping it under wraps.  The goal of organized crime on the internet is to retain a low profile.  Hence the focus on deploying malware code in a manner which ensures its longevity.  Another method to successfully maintain the operation: taking small bites. Those who purchase access to infected systems and reap the rewards of coming across personal financial data use that information wisely.  Best to charge $10 per compromised credit card, on 1,000 cards, versus a charge of $1,000 on 10 cards.  The odds that credit card holders will notice or care is minimized.  Also, this model distributes risk among multiple banks, who are thus better able to write off the loss.  Law enforcement remains uninvolved, with no complaints issued.

3. Location, location, location.  TOCs tend to base their operations in countries with no legal ties to the U.S., often remaining in areas with ‘weak legal and policing systems’ (Verizon).  This is supported by the fact that in 2011, Eastern Europe (specifically Russia and Turkey) accounted for 67% of all originating data theft attacks against organizations (Verizon).

Recent Data

We have a come a long way over the past decade.  Malware development has increased dramatically.  Sophos reported seeing approximately 95,000 unique samples of malware per day in 2011.  Two years prior, the number was under 5,000 per day (Ragan).

Malware was a tool utilized in more than two thirds of the data breach caseload covered in Verizon’s 2012 Data Breach Investigation Report, and was a definite tool in 95% of all cases involving stolen data.  External agents accounted for 98% of all data breaches. Organized criminals were behind the majority of these breaches, at 83%, and money was the motivating factor in 96% of these particular cases.  Small organizations with less than 100 employees represent the majority of the victims.  Investigators believe this is related to the ease at which their internet facing point-of-sale systems can be breached (Verizon).

The Future

There are definite steps which can be taken to help mitigate threats and attacks from TOC or other potential external (and internal) attackers.  The recent Verizon data breach report does highlight how well external attackers have taken advantage of small business system vulnerabilities.  Special care should be taken to educate and assist these organizations with mitigation strategies, specifically ensuring that they attain and maintain PCI compliancy.

Additionally, we need adequate law enforcement to deter, investigate and prosecute crimes.  We need to continue work internationally, and encourage minimum standards and cooperation in regard to cyber crime (Cukier).


Berinato, S. (2007, September 1). Inside the Global Hacker Service Economy. Retrieved July 19, 2012, from‌article/‌456863/‌inside-the-global-hacker-service-economy

Cukier, W., & Levin, A. (2009). Internet Fraud and Cybercrime. In Crimes of the Internet. Upper Saddle River, NJ: Prentice Hall. (Reprinted from Crimes of the Internet, 251-279, 2009)

Liston, T. (2011, March). Malware War: How Malicious Code Authors Battle to Evade Detection (Publication). Retrieved from Information Week website:‌abstract/‌21/‌5854/‌security/‌strategy-malware-war.html

Ragan, S. (2011, February 15). RSAC 2011: Malware and Cyber Crime Evolved. Retrieved from‌articles/‌RSAC-2011-Malware-and-cyber-crime-evolved/‌12807/

Smith, A. (2006, October). The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond (Report). Retrieved from‌reports/‌APWG_CrimewareReport.pdf

2012 Data Breach Investigation Report (Research Report). (2012). Retrieved from Verizon website:‌us/‌about/‌events/‌2012dbir/

STUXNET: Opening Pandora’s Box?

13 07 2012

In June of 2010, VirusBlokada an antivirus company identified a new threat called the W32.STUXNET.  Stuxnet had hitherto unheard of complexity for a virus/worm. It is billed to be one of the most sophisticated and complex malware ever to be created. In no less than a Hollywood spy thriller fashion, it has been alleged that the whole purpose of the STUXNET creation was to destroy/damage nuclear facilities of IRAN to stop it from Uranium enrichment. (References [1] through [5])

What is STUXNET?

STUXNET is a malware targeted specifically at Industrial Control Software from Siemens running on their PLCs. STUXNET is reported to have infected about 100,000 systems worldwide; a majority of them in IRAN, Indonesia and India. [1]

This article describes some basic details of the STUXNET worm drawn from the information in the references. For a detailed report of STUXNET and its modus operandi, see [1] and [3]

According the security experts who identified and studied the malware, its sophistication, significantly large size (~1MB) and ability to exploit more than one vulnerability was not usual for a malware.

The STUXNET malware contains of two parts:

  • The Delivery mechanism or the dropper
  • The payload

The delivery mechanism made use of at least 4 WINDOWS “0-day vulnerabilities” known at the time of its creation. The virus spread from one computer to another either by portable drives or using 2 network vulnerabilities.  It also used 2 stolen Digital certificates (Certificates of Realtek and JMicron) to install itself without being flagged as suspicious. Once installed, if the computer has WINCC database and STEP7 software from SIEMENS, it infects the folders belonging to these software. These computers do not have to be remotely controlled or connected to a network. The malware has all the required components within itself.

The malware intercepts the communication between the PLC and the WINCC/STEP7 software and able tin install itself on the PLC. Once on the PLC, it looks for highly specific type of SCADA configurations connected to the PLC. If the configuration matches its targets, it carries out the attack by modifying the process being controlled, while also modifying the sensor inputs that are reported back to the human supervisor and the control software. This ensures that the human operator and the control software do not suspect abnormal behavior. It also makes use of a vulnerability in the WINCC software.

The detailed presentation video from Ralph Langner who was one of the researchers who worked on figuring out the targets/purpose of STUXNET can be found at: (reference [3])

The Natanz enrichment plant in IRAN reported the enrichment program to have been delayed. Security experts attribute this delay to the successful STUXNET attack.

Predecessors, Successors and derivatives…….

At least two newer malware have been declared by security experts to be using a part of the STUXNET code and attack strategy.

  • Duqu: As per Symantec, Duqu “seems to be the precursor to a future, Stuxnet-like attack. Parts of Duqu are nearly identical to Stuxnet, but its sole purpose is to gather intelligence which could be used to give attackers the insight they need to mount future attacks. Duqu is not widespread, but it is highly targeted, and its targets include suppliers to industrial facilities.” [6]
  • Flame: Also known as SkyWiper, a large malware of ~20MB in size with a number of components, primarily for espionage and intelligence gathering uses exploits similar to ones used by STUXNET [7]. Although there are differing opinions about its similarities/links to STUXNET.

Variations of the STUXNET available online for any interested hacker/cracker/attackers to modify and use for their own agenda. Detailed analysis available from various security companies and experts may also provide details of STUXNET to anyone with malicious intent to recreate such malware.

Pandora’s Box….

The Stuxnet targeted a specific software and hardware; Siemens PLC and associated software. With sufficient mal-intent and resources, such threats could be mounted against similar industrial control systems or other computerized systems that are part of our daily life. Possibility to target any kind of software intensive system cannot be ruled out in this scenario.

If newer malware can have the level of complexity and precision targeting that STUXNET is attributed to have, a number of industries, facilities and economic systems could be targeted.

Some of the potential targets are Utilities such as water, electric, transportation system, Refineries, medical, food processing, large plants, manufacturing industries, oil pipelines, etc..

Whether the handiwork of terrorist groups or adversary states; the cyber security threat is significantly higher than before.


While the STUXNET’s purpose was allegedly to halt or delay Iran’s nuclear program only, improvised variants of the same could be used for:

1. Espionage

2. Cybercrime

3. Destruction of specific facilities or targets

4. Control

Hard Questions…..


1. Identifying the facilities and systems that are vulnerable

2. Drafting strategies to counter the threat

Private organizations:

Companies whose manufacturing systems use such control components need to figure out ways to secure and reduce threat to their operations.

Companies developing and deploying such control systems need to identify all such vulnerabilities in the software and hardware components that they sell.

Companies specializing in security and threat monitoring need to widen their scope of operations to include PLCs, SCADA, portable smart devices, etc.


1. Identifying the level of security that is sufficient to protect a given system is extremely hard given the nature of attacks that are devised.

2. Integration of handheld and mobile devices into control and IT infrastructure poses new challenges to companies that may use remote monitoring of machinery/processes.

3. A lot of control systems are what are popularly known as embedded systems. These systems essentially work on very stringent memory/power/price constraints.  These factors make it hard for the developing companies to add significant amount of security on these devices. Therefore the motivation to implement good security measures is low.

4. Financial and resource burden prevent companies from over-hauling security aspects of devices/software until it becomes mandatory or regulated.

5. Companies have to find effective ways to deal with INSIDER threats. Creation of STUXNET would not have been possible without insider involvement and highly detailed and confidential information specific to the targeted products.

The intentions or the identity of the creators of STUXNET may never be fully known. But it is going to be very hard for the world to successfully plug the vulnerabilities and weaknesses that it has exposed.









Process Control PC Security

7 04 2012


Manufacturing plants use two main types of devices to control process: programmable logical controllers (PLCs) and personal computers (PCs).   For this discussion, I will focus on PCs with Microsoft operating systems as PLCs are yet to be heavily targeted by Malware.  PCLs have been targeted but only by a few attacks such as the Stuxnet worm which was considered “groundbreaking” because of its sophisication1.   Meanwhile, the PCs are vulnerable to the same types of attacks that any PC is.  What most people do not realize is there are hundreds of PCs in a large manufacturing plant scheduling lines, gaging parts, controlling robots, and providing many other critical services.  Without these PCs most plants would stop production.

What’s the problem?

Having hundreds of PCs doesn’t seem like much of a problem until you consider the fact that the software running on these PCs is very complicated and often written for a dedicated purpose.   Therefore, the PCs can easily fail if they are subject to changes such as OS patches.   Combine this with the fact that many of these machines aren’t refreshed in a consistent manner and you end up with a large security problem.  You have PCs that cannot be patched because they have an out of date OS (95, 98, 2000, NT, etc.) and others that need to go through a time intensive process of thoroughly testing any patches before they can be deployed.

Alternative security methods

The best way to keep these PCs secure is to ensure timely OS system patching and virus protection updates but if that is not possible due to the issues above, you need to do the best you can and those solutions fit into a few broad categories:

  1. Software that locks down the PC so only authorized programs can execute (Whitelisting)
  2. Remove from network and disable other inputs (e.g. USB)
  3. Isolate the PCs using network access control lists and disable other inputs
  4. Change the operating system to one with a smaller threat footprint (e.g. CE, Linux)

Locking down the PCs with a whitelisting product makes a lot of sense in the manufacturing environment as you can install and enable the product then never touch the machine again.  If in the future, the PC needs to update functionality you can uninstall the product, remove from the network, run virus protection on it, complete the updates, then re-enable the whitelisting software and have little fear that your PC will be infected by Malware.   There are drawbacks: malware can still reside on the PCs but can’t execute so you have to be careful when the software is turned off, malware can become part of the whitelist if the user allows it, and the user needs to exercise the PC well to ensure no executable are missed while building the whitelist.  Still, this is a good choice if the PC rarely gets updated and needs to retain communication to other devices.

Removing a device from the network eliminates the most used path to infection and eliminating or highly regulating use of other input devices like USB brings the chance of infection to near zero.   But removing the PC from the network limits the use of this approach as PCs are generally used to gather data and report out on operational status of the manufacturing device they are attached to.  Also, blocking use of other devices (e.g. USB) severely limits the use of data produced by the machine.  Therefore, this method is good only for devices that can’t be whitelisted and don’t need to communicate to other devices.

Isolation through network access control lists is similar to removal from the network but allows the PCs to communicate to a defined group of devices.  This is of course is less secure than the removal technique as malware could infect the PC via a “trusted” device or a device acting as a trusted device.   Therefore, this is a good choice for PCs that can’t be whitelist and need to communicate to a few other definable devices.

In some cases, the PC can be converted to run on an operating system that is considered to be less of a threat such as Linux or Windows CE.  This is generally very hard to do with legacy equipment and costly as the original vendor for the software will usually have to make code changes.  For new PCs, this can be a good route to take in order to avoid malware or patching consequences.  That said, all operating systems can be attacked by malware, this choice just significantly reduces that threat.


Vendors and equipment purchasers have begun to realize the threat posed by malware to their PC based process control devices.  As they have made this realization, new devices have begun to arrive in manufacturing facilities they are more manageable and less of a threat.  But, there are huge numbers of legacy PC devices that need to be protected.  The list above is not complete and none of the methods are foolproof but it’s a solid start for anyone dealing with this problem to look at it.



Advanced Persistent Threats

9 02 2012

Over the past few years, the term “Advanced Persistent Threat” (APT) has received increased attention in the Information Security world, particularly in the wake of sophisticated attacks on RSA and Google. Despite this increased attention, there remains considerable debate over what exactly constitutes an APT. This discussion will provide better understanding of the topic as well as considerations for countering the threat.

Definitions for Advanced Persistent Threat are not universally accepted, ranging from a category of attack to a type of attacker. To better understand the term, I will break down its components and incorporate additional, distinguishing criteria to establish a unique definition. From ZScaler’s whitepaper on the topic:
Advanced means the adversary can operate in the full spectrum of computer intrusion”. [1] This includes simple, widely available exploits against well-known vulnerabilities to researching new vulnerabilities and developing custom exploits;
Persistent means the adversary is formally tasked to accomplish a mission”. [1] The adversary conducts a deliberate campaign and covertly maintains interaction with the compromised system as required to achieve mission objectives;
Threat implies that the adversary is not a mindless piece of code” [1] but rather constitutes individuals or groups that are “organized, funded, and motivated”. [1]
In terms of capability, an APT “represents well-resourced and trained adversaries” [2] implying a level of “state sponsorship” [3] as part of a wider national cyber attack and exploitation program. Attacks by these adversaries are aimed at stealing information to gain specific political, economic, or military advantage for their sponsor, thus differentiating them from criminal, hacktavist, or other cyber threats. Their campaigns evolve based on collected intelligence; after the initial intrusion, different payloads can be added as required to gather different types of information or to inform future attacks on the compromised system or other targets. [4]

Example of an APT-style Attack
Adversaries are continuing to focus more on “targeting vulnerable people (using social engineering) more often than they target vulnerable systems”. [4] A typical attack might be conducted in accordance with the following pattern:
The adversary conducts reconnaissance to identify targets and means of accessing them. The attacker then sends the target malicious emails whose contents are geared to pose some relevance to recent business activities and would appear, at first glance, to come from a trusted sender. Once opened, an attachment will deliver the exploit, which enables the initial foothold in the network. From there, multiple, hidden backdoors are established, additional credentials and privileges are gained, and the attacker then begins lateral exploitation and exfiltration of target data. [3]
The attacker will continue to remotely access the compromised system, hiding data exfiltration and C2 using camouflaged Windows Processes, SSL traffic to normal web services, or other means. [4]

Countering the APT
As Mandiant notes, in a study of malware samples associated with APT intrusions only 24% were detected by common Anti-virus solutions [3] making conventional approaches using AV, NIDS, NIPS, etc particularly vulnerable to this type of threat. They further argue that conventional methods must be coupled with rapid threat detection, analysis, and response capabilities using specialized tools to identify the Tactics, Techniques, and Procedures (TTPs) of the APT. Defenders must be specially trained to identify and analyze “indicators of compromise”, require total visibility of across the enterprise, and are enabled by actionable threat intelligence. [4]
Hutchins et al, of Lockheed Martin, take a similar stance, but emphasize the use of threat intelligence to inform the defender’s mitigation tactics at various stages of the “kill chain” [2], broken down as follows:
Reconnaissance: Identification and research on targets;
Weaponization: Coupling remote access Trojans with exploits into a deliverable payload;
Delivery: Transmission of the weapon to the target (i.e. via email or website);
Exploitation: Triggering of the attacker’s code;
Installation: Installation of remote access Trojans and other backdoors;
C2: “Hands on keyboard” access inside target environment using installed payloads;
Actions on Objective: Exfiltration of data and lateral movement within target network. [2]
After an attack, the effectiveness of defensive actions are assessed and indicators at all phases, including ‘what if’ scenarios, are collected to gather further understanding of the attacker’s future actions. The goal is to couple skilled defenders with the right information to quickly identify attacks and attempt to mitigate them before intrusion, if possible. It also capitalizes on the adversary’s reuse of certain TTPs across the kill chain, forcing them to constantly improve their techniques and thus increase the cost of a successful attack / campaign. [2]
As always, despite novel approaches to network defence and a better understanding of the threat, people will remain vulnerable to social engineering attacks and bad habits.  Continued user education and due diligence will remain a necessity.

APTs will continue to threaten sensitive information of national importance. Effective intelligence will be instrumental to understanding the evolving TTPs of this sophisticated foe and to develop novel and effective countermeasures.  This does bear a few questions, however: Given the reticence to divulge information on compromises, what is the best way for governments and industry to share intelligence? Should disclosure be required legally? Should governments play a more active role in helping industry counter APTs? These are tough questions, but at the very least, understanding that we are targets of this activity and that action is required is the first step to protecting ourselves.

[1] Author Unknown (2011). Whitepaper: Alleged APT Intrusion Set: “1.php” Group [Online]. ZScaler ThreatLab. Available:
[2] Eric M. Hutchins et al (2011). Intelligence Driven Computer Network Defence Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains [Online]. Available:
[3] Author Unknown (2010). M Trends: The Advanced Persistent Threat [Online]. Mandiant. Available:
[4] Author Unknown (2011). M Trends: When Prevention Fails [Online]. Mandiant. Available: