The recent rise in targeted attacks has led many IT security chiefs to cite Advanced Persistent Threats (APT) as their biggest headache in 2013.
With attacks directed at energy companies, government agencies and the likes of Google and Adobe, APTs are causing a lot of damage: valuable commercial secrets are heisted, sensitive government information is leaked, and sometimes industrial-scale havoc is wreaked. These attacks are shielded by the taboo subject of hacking, yet motivated by political control or monetary gain. And, the opportunity for success is high - advanced persistent attacks routinely bypass traditional defences.
What is particularly noteworthy about APTs is the large number based on memory exploitation. In fact over the past 25 years, of the 54,000 software vulnerabilities given a CVSS rating, about 14 per cent were memory-based attacks. Memory injections are popular amongst hackers as they are particularly sneaky. Take ‘Skape/JT', which was discovered in 2004, it used an injection technique to copy code straight into memory. It was able to execute because the dynamic-link library (DLL) wasn't written to disk. Of course, attacks increased in sophistication over the years and along came, Reflective Memory Injections. This technique copies DLL straight into memory and executes without requiring any OS functions. Since the DLL is copied and executed straight out of memory without relying on any local functions (as in the case of Skape/JT), it is called ‘reflective' and is not stopped by traditional anti-virus and application control products.
Unfortunately, Reflective Memory Injections are gaining ground among hackers, as the popular Russian RIA Novosti news agency (www.gazeta.ru), found out to its readers detriment. In that particular attack the malware wasn't hosted on the website. It was served to visitors through banners displayed by a third-party advertising service. It lived in the computer's memory and didn't create any files on the computer's drive. In some cases, the instructions given out by the code were to install an online banking Trojan horse onto the compromised computers. The danger with memory injections is that once the malware gets loaded into the memory the system generally considers it to be a trustworthy action. As such it's much harder to detect and can be used to do pretty much anything.
While sophisticated memory injections have been notoriously difficult to detect, they can be halted by patented technology that monitors an endpoint's memory address space and associated processes for distinct evidence of exploitation. If an executable library is found, an event is generated and the injected process is terminated. But, that is just one opportunity to halt malware from executing. Memory injections are often used to gain a foothold in a system once a buffer overflow has taken place. The main attack can be thwarted at four different stages. The first is to eliminate the vulnerability; if this opportunity is missed, the organisation has the opportunity to defend the buffer, stop the injection or stop the payload executing on disk. To have any real chance of stopping the attack in its tracks, a combination of technologies need to work in tandem, spanning patch and remediation management, application control and anti-virus. It is just simply not enough to rely on catching the really tricky malware at one particular point in time.
Alan Bentley is SVP worldwide at Lumension