Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Advanced volatile threat: New name for old malware technique?

Taylor Armerding | Feb. 22, 2013
AVTs are not widespread -- yet -- because 'APTs are working just fine,' says Triumfant CEO. But they could one day start a cyberwar, he said

Williamson cautioned that the term AVT could be misleading. "It is obviously a play on the term APT, but the fact that it only lives in memory and never touches disk means that it is a very different type of threat," he said, noting that it can only steal information when the computer is running, and the exposure ends when the user shuts down the machine.

"This is almost the exact opposite of APTs which are designed to be low and slow and persist in a network for an extended period of time," he said. "For example, Mandiant saw most attacks lasting for 356 days -- these volatile attacks would be limited to part of one day in most cases."

Prisco said he has stressed that difference in arguing that that is one of the things that makes AVTs so dangerous and difficult to track or defeat. "An AVT comes in, exfiltrates the data it's looking for and then immediately wipes its 'hands' clean leaving no trace behind as the computer is shut down," he said.

And he said that while attacks that live in memory are not new, the industry is not very good at detecting them in the memory. "Everything about the AVT shouts out real time -- you have to be able to catch it in the act red-handed," he said. "If you don't, you've already lost."

Prisco said the only way to deal with AVTs is with anomaly-based detection tools that live on the individual computer, which his company offers.

"It's not a matter of if you'll be breached, but when," he said. "You have to have a tool that is able to engage in hand-to-hand combat with the hacker [or] malware. The only way to do this is to be on the same battlefield as the attacker -- the computer."

McAleavey said it has long been a best practice to have tools that scan memory, and not just the file system. He said an antimalware solution he was involved with creating in 1999 called BOClean, after an exploit called Back Orifice II, was designed to do that.

"All malware exists in memory, whether or not it starts from a file, and monitoring memory assured that we would always catch such malware no matter what its origin," he said. "So, there's nothing new here to me."


Previous Page  1  2 

Sign up for Computerworld eNewsletters.