Cyber Espionage: Welcome to APT
© 2011 FrontLine Security (Vol 6, No 3)

Consider yourself forewarned
Cyber espionage is no longer the stuff of cyberpunk.

We have to learn to live in a world where science fiction has become reality. If we look at the illicit computer activity coming from China or the RBN (Russian Business Network), it is clear that this is a worldwide phenomenon and that we are dealing with professional, highly skilled organizations. Closer to home, the media recently reported on the massive amount of data stolen from the U.S. government and released through WikiLeaks, the infiltration and sabotage of an Iranian nuclear plant using the Stuxnet computer worm, and the Operation Aurora cyber attack on a number of companies, including Google. A computer security provider for the U.S. government was even hit by the collective calling itself Anonymous, which leaked many of its corporate secrets. These are all different aspects of cyber espionage.

As 2012 draws near, these cyber attacks and malicious software are no longer aimed simply at computer system vandalism. This new generation of “malware” is very stealthy and almost undetectable by conventional means. These applications are designed to take control of computer systems, collect data, and send it back to a source, acting as digital spies invisible to traditional antivirus programs. To fool the system, mask their presence, and remain hidden from standard detection and prevention tools, they use rootkits in user mode or kernel mode. They take advantage of undocumented processes in the Windows operating system and use a variety of cloaking methods to hide inside legitimate applications. Traditional antivirus programs can’t detect them, because they leave no signature. In other words, they leave no trace of corrupt files on hard drives because they reside in the RAM and hide in valid processes that are approved and authorized by the applications and operating system. They are known as advanced persistent threats or APTs.

We still need to use traditional tools, but they have revealed their limits on a number of fronts. To protect our data, we must therefore develop a new defense plan. A new approach to computer security is required; consider the following:

Theory: The system is already corrupt.

A number of assumptions stem from this theory:

  • We can’t trust the integrity of the operating system (i.e., Windows) as its processes are functional but will be ­compromised or hijacked for malicious use.
  • The malware is undetectable to conventional antivirus applications, which rely on the already compromised ­operating system and authorize infected system ­components in order to run.
  • The malware has already bypassed other methods of detection and the antivirus program by placing itself on the list of authorized programs, making it invisible.

This theory and these assumptions are not science fiction. This is the real world of 2011. So how can we detect and eliminate these invisible digital spies? The solution lies in analyzing their behaviour. To be active, any code, whether it is malicious or not, must reside in the RAM. No matter what ruse it uses to disguise itself, it can only be active and effective when it is loaded into the memory.

Let’s approach this like any good police detective, using proven investigation methods:

  1. Observe and analyze the suspicious ­components.
  2. Challenge your own assumptions.
  3. Check the source of any claim from a third party.
  4. Validate your sources.
  5. Corroborate the facts from various sources and come to your own conclusions.
  6. Trust your own judgment, experience, and expertise.

In concrete terms, it is possible to combine a number of technological approaches – like real time memory analysis, advanced rootkit detection, code and internal structure integrity verification (System Service Dispatch Table, Import Address Table/ Export Address Table, Interrupt Dispatch Table, etc.), process monitoring, and anomaly detection – with more traditional approaches like antivirus signatures and ­reputation validation in correlation with the environment.

A job this extensive requires custom made tools with very low level operating capacities and the ability to insert themselves where the rootkit might have set its hook. This type of program needs its own pilots to avoid having to rely on potentially corrupted components. It needs its own hardened and protected communication channels. All this is to provide results regarding the level of system corruption, but only once the program has checked its own integrity through a number of independent mechanisms. It also runs routines to validate that the information collected has not been altered in any way whatsoever by a rootkit, just in case the hook has been set even deeper than the detection software. This tailored detection tool will get around the rootkit’s cloaking effects to provide accurate information on the system.

We can study the data compiled by the detection tool and compare it to other sources like the data in the RAM in real time, databases with known file hashes (heuristic approach), a base reference reported clean, data from other scans on certain processes or files, and antivirus signatures. By collecting and correlating all this information, specialized investigators can carry out an analysis to uncover and identify systems that are definitely compromised. If the analysis is inconclusive, investigators can still identify suspicious systems and components and determine their potential threat level. In these cases, when in doubt, it is always better to delete and reinstall the suspicious system.

Remember that while antivirus software, firewalls, and other means of protection are essential and do protect your data, they also have limits.

When in doubt, ask yourself the following questions:

  • How are my security applications protected from malware?
  • Do my security applications depend on my Windows operating system?
  • How can I know that my security applications themselves are not already compromised when they report that no security threats were detected?

Data protection issues are very real, and cyber espionage is not science fiction! You may have suspected such before reading this article, and I can confirm those feelings as absolutely correct. Fortunately, however, there are ways of detecting and even ­eliminating cyber espionage.

Loïc Bernard, a Senior Security Consultant at In Fidem, can be reached by email at
© FrontLine Security 2011