Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Advanced volatile threat: New name for old malware technique?

Taylor Armerding | Feb. 22, 2013
AVTs are not widespread -- yet -- because 'APTs are working just fine,' says Triumfant CEO. But they could one day start a cyberwar, he said

There is something worse than advanced persistent threats (APT) out there -- a stealthier attack vector called advanced volatile threats (AVT), says one security company.

But several other security experts said while any kind of successful attack technique is a concern, AVT is just a new name for an old problem.

APTs have been on the lips of everybody in the security community and beyond this week, following the release of Mandiant's 60-page report documenting the name and location of what they said has been one of the most active APT groups in China at least since 2006.

But security startup Triumfant said this week that a newer, stealthier and more damaging threat is being used by sophisticated nation states like China, Iran and Russia for cyberespionage. "The Chinese are just getting started," Triumfant president and CEO John Prisco said after the release of the Mandiant report.

"We have become familiar with the term Advanced Persistent Threat or APT," he said. "Get ready to know a new and more devastating attack -- the AVT or advanced volatile threat," he said.

"[AVTs are] the drive-by shooting equivalent of a persistent cyberattack," Prisco said, "It is an attack in volatile memory that wipes its 'fingerprints' before leaving and after it has stolen your intellectual property."

And they could be the start of something bigger. Prisco told CSO Online Thursday that while AVTs are primarily used for espionage, to steal classified information and intellectual property, they could lead to actual war. "AVTs are the equivalent of the military adding a stealth aircraft to the battlefield," he said. "The long-term result of AVTs and similarly devastating attacks is that we could eventually see some form of kinetic response from the U.S. government, especially with critical infrastructure attacks."

He said nobody knows how pervasive AVTs are yet, but estimated their use at around 10%, because so far, "hackers can easily infiltrate a system without having to use an AVT -- the APTs are working just fine."

But Wade Williamson, a senior security analyst at Palo Alto Networks, said what Triumfant calls AVT is just one of the many techniques malware uses to avoid analysis, as opposed to some new class of malware. "Papers have been presented for years showing malware that never has to call anything from disk or is never resident on disk," he said.

Kevin McAleavey, cofounder and chief architect of the KNOS Project, called AVT a redefinition of the well-known term, memory resident virus. "The first memory resident virus was known as Lehigh, which made the rounds in 1987," he said.

McAleavey agreed that malware that is not persistent is tricky to spot. "Traditional antivirus solutions depend on the presence of a file existing - that's what they detect and look for, attempting to intervene in the completion of that file being loaded into memory and run as a program," he said. "No file, no detection."


1  2  Next Page 

Sign up for Computerworld eNewsletters.