Advanced volatile threat: New name for old malware technique?

There is something worse than advanced persistent threats (APT) out there -- a stealthier attack vector called advanced volatile threats (AVT), says one security company.

But several other security experts said while any kind of successful attack technique is a concern, AVT is just a new name for an old problem.

APTs have been on the lips of everybody in the security community and beyond this week, following the release of Mandiant's 60-page report documenting the name and location of what they said has been one of the most active APT groups in China at least since 2006.

But security startup Triumfant said this week that a newer, stealthier and more damaging threat is being used by sophisticated nation states like China, Iran and Russia for cyberespionage. "The Chinese are just getting started," Triumfant president and CEO John Prisco said after the release of the Mandiant report.

"We have become familiar with the term Advanced Persistent Threat or APT," he said. "Get ready to know a new and more devastating attack -- the AVT or advanced volatile threat," he said.

"[AVTs are] the drive-by shooting equivalent of a persistent cyberattack," Prisco said, "It is an attack in volatile memory that wipes its 'fingerprints' before leaving and after it has stolen your intellectual property."

And they could be the start of something bigger. Prisco told CSO Online Thursday that while AVTs are primarily used for espionage, to steal classified information and intellectual property, they could lead to actual war. "AVTs are the equivalent of the military adding a stealth aircraft to the battlefield," he said. "The long-term result of AVTs and similarly devastating attacks is that we could eventually see some form of kinetic response from the U.S. government, especially with critical infrastructure attacks."

He said nobody knows how pervasive AVTs are yet, but estimated their use at around 10%, because so far, "hackers can easily infiltrate a system without having to use an AVT -- the APTs are working just fine."

[In depth: What does APT really mean?]

But Wade Williamson, a senior security analyst at Palo Alto Networks, said what Triumfant calls AVT is just one of the many techniques malware uses to avoid analysis, as opposed to some new class of malware. "Papers have been presented for years showing malware that never has to call anything from disk or is never resident on disk," he said.

Kevin McAleavey, cofounder and chief architect of the KNOS Project, called AVT a redefinition of the well-known term, memory resident virus. "The first memory resident virus was known as Lehigh, which made the rounds in 1987," he said.

McAleavey agreed that malware that is not persistent is tricky to spot. "Traditional antivirus solutions depend on the presence of a file existing - that's what they detect and look for, attempting to intervene in the completion of that file being loaded into memory and run as a program," he said. "No file, no detection."

Williamson cautioned that the term AVT could be misleading. "It is obviously a play on the term APT, but the fact that it only lives in memory and never touches disk means that it is a very different type of threat," he said, noting that it can only steal information when the computer is running, and the exposure ends when the user shuts down the machine.

"This is almost the exact opposite of APTs which are designed to be low and slow and persist in a network for an extended period of time," he said. "For example, Mandiant saw most attacks lasting for 356 days -- these volatile attacks would be limited to part of one day in most cases."

Prisco said he has stressed that difference in arguing that that is one of the things that makes AVTs so dangerous and difficult to track or defeat. "An AVT comes in, exfiltrates the data it's looking for and then immediately wipes its 'hands' clean leaving no trace behind as the computer is shut down," he said.

And he said that while attacks that live in memory are not new, the industry is not very good at detecting them in the memory. "Everything about the AVT shouts out real time -- you have to be able to catch it in the act red-handed," he said. "If you don't, you've already lost."

Prisco said the only way to deal with AVTs is with anomaly-based detection tools that live on the individual computer, which his company offers.

"It's not a matter of if you'll be breached, but when," he said. "You have to have a tool that is able to engage in hand-to-hand combat with the hacker [or] malware. The only way to do this is to be on the same battlefield as the attacker -- the computer."

McAleavey said it has long been a best practice to have tools that scan memory, and not just the file system. He said an antimalware solution he was involved with creating in 1999 called BOClean, after an exploit called Back Orifice II, was designed to do that.

"All malware exists in memory, whether or not it starts from a file, and monitoring memory assured that we would always catch such malware no matter what its origin," he said. "So, there's nothing new here to me."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags advanced persistent threatadvanced volatile threatapplicationsAVTlegalsoftwareMandiantdata protectioncybercrimeAPTData Protection | Malware

More about Absolute Vision TechnologiesAPTCSOPalo Alto Networks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place