APT and Rootkit Detection

In computer security, there are many threats and vulnerabilities that we prefer to ignore because the challenge of dealing with them can seem overwhelming. Challenges like:

• Unwary users vulnerable to social engineering;
• Deploying patches and virus signatures across the entire environment;
• Securing systems between vulnerability disclosures and security updates;
• USB sticks or other physical(portable) media as an infection vector;
• Evil Maid attacks: physical access to computers;

Advanced Persistent Threats (APTs) – a primer

In 2010, the Operation Aurora attack on Google put the spotlight on APTs: sophisticated and state-sponsored intelligence gathering. This category of malware is every CSO’s worst nightmare: software running silently on targeted systems, exfiltrating highly confidential documents. APTs can remain undetected for months or years (eight months in Google’s case) and it is often next to impossible to track down the attacker.
Other advanced threats:

Metasploit/Meterpreter
Metasploit is an open-source penetration testing framework used by both good and bad hackers. It is simple to install and use. Among its interesting features, one enables hackers to compromise a system’s security without a single file written to disk, making detection by traditional anti-virus even more difficult. Typically, the Metasploit payload (i.e. Meterpreter) is injected in a trusted process — such as Internet Explorer or Acrobat Reader — and connects back to the attacker using standard communication protocols. Using live memory analysis, ECAT is able to locate traces left by Metasploit payloads and flag the system as being compromised.

StuxNet
The StuxNet malware discovered in July 2010 highlighted the threat of corporate espionage and the attackers’ desire to access critical infrastructure (SCADA) applications. Infected systems remained undetected for weeks before antivirus and other signature-based detection systems could detect it. More details about StuxNet can be found on our Stuxnet write up or in this article here .

Mebroot
Mebroot is an advanced rootkit. It has many features and techniques to bypass antivirus, making it very hard to detect by standard means. Once installed, it is invisible to the user: no running process, no files.
Without using signatures, ECAT can quickly identify systems infected with Mebroot and flag them as compromised by looking for internal structures and system anomalies.

For more information on ECAT and how ECAT can detect compromised systems in your environment,contact us for a demonstration or evaluation or download our whitepaper.