Combating Malware and Advanced Persistent Threats

In the past decade, the security industry has seen a constant rise in the volume of malware and attacks associated with them. Malware are constantly evolving to become more complex and sophisticated. For example,

This blog discusses the changing malware threat landscape, challenges faced by intrusion-prevention systems, and limitations with traditional signature-based detection. We also provide the vision of McAfee Labs regarding effective solutions to combat such advanced threats.


Changes to the Threat Landscape

In the last decade we have seen exponential growth in the number of Internet users worldwide. This expanding base provides a lucrative opportunity to criminal organizations to carry out illicit activities. Compared with earlier malware that primarily created nuisance attacks, today’s malware are much more focused on both their victims and goals. Today’s attacks are a major concern for enterprises and organizations. Not only do they risk the loss of intellectual property or data, but any disruption to business continuity can also severely hamper an organization’s productivity and reputation. Protecting networks with a wide variety of Internet-connected devices—desktops, laptops, smart phones, etc.—has become even more of a challenge.

Botnets are the most common form of malware used by cybercriminals to attack enterprises and government organizations worldwide. Botnets, networks of compromised “robot” machines (also known as zombies) under the control of a single botmaster, carry out malicious activities such as distributed denial of service (DDoS) attacks on servers, steal confidential information, install malicious code, and send spam emails. Recent examples are Operation Aurora, ShadyRAT, and DDoS attacks on payment websites in support of WikiLeaks.

Advanced persistent threats, on the other hand, focus on specific targets, such as government organizations, with motives ranging from espionage to disrupting a nation’s core networks, including nuclear, power, and financial infrastructure. Due to the discrete nature of the attacks, these can remain undetected for a long time. Such attacks are also much more complex and sophisticated compared with other malware.  For example, Stuxnet targeted Iranian nuclear facilities and Flame targeted cyberespionage in Middle Eastern countries.



Looking at the significance of intellectual property and national secrets as well as the vast potential of monetary rewards gained through these advanced attacks and threats, more and more cybercriminals—often well funded by criminal organizations—are attracted to develop malware. Their authors implement various techniques to make the malware and associated communication channels stealthier to avoid detection by security products on host systems and on the network. For example, encrypting communications between host and control server, using decentralized network architecture to stay undetected and resilient, using domain and IP flux techniques to hide control servers, and obfuscating malicious payloads are some of the techniques widely used by malware these days.


Traditional Detection and Its Limits

A signature-based detection mechanism that looks for unique network patterns has been the traditional method employed by security vendors to provide protection against attacks.

This method, though effective for defending against known threats, has limits.

  • It is reactive: To provide coverage, researchers need to monitor and analyze network traffic, and reverse-engineer the attack to provide accurate detection coverage
  • It is static: Malicious network patterns observed in previous attacks can change frequently, thus making the existing signatures ineffective to detect new variants of old threats
  • It cannot react to unknown (such as zero-day) attacks
  • The scope of detection is limited to a single network session and cannot correlate events across multiple network sessions

These limitations severely cripple traditional signature-based detection in protecting against emerging threats.


McAfee Labs

To win the battle and keep customers protected against emerging threats in the future, security vendors must continue to innovate.

Based on the current challenges to and limitations of signature-based detection, McAfee Labs envisions a dynamic solution that can provide proactive protection against future threats.

Such a solution must:

  • Provide a behavioral-based detection framework in addition to the traditional approach
  • Be capable of integrating various behaviors of the malware/threat lifecycle
  • Have the ability to correlate attacks across multiple network sessions to precisely detect a specific type of threat
  • Have the ability to do event-based correlation across multiple network sessions to detect unknown malware/threats


Such a framework will primarily be targeted toward providing not only detection to known threats but also providing customers with early warnings of possible infections.

In subsequent blogs, we will talk more about the solution that McAfee Labs believes will be capable of combating malware and advanced persistent threats on our networks.


I would like to thank my colleagues Chong Xu and Ravi Balupari for their contributions to this blog.


Windows 8 Metro Brings New Security Risks

With the upcoming Windows 8, Microsoft hopes to finally make Windows a serious contender in the tablet market and to offer a consistent user experience across all Windows devices. Our examination of prerelease software suggests that Microsoft has achieved much of that ambition. However, the company has also created challenges for users that in some ways may increase their security risks.

In a series of blogs, we will highlight for security professionals and IT administrators the security-related changes to Windows 8 and provide a comparison with industry standards. These blogs will offer our analysis of the prerelease version of Windows 8. With new features added and problems fixed with every build of Windows, this current information may not necessarily represent the final version of Windows 8.

This incarnation of Windows scales from 32- and 64-bit devices (such as desktops) down to ARM-based devices (in tablets, for example). Applications developed with Microsoft’s Metro design language, the Windows Store, and the Microsoft Account will comprise Microsoft’s unified ecosystem. This environment caters to the wide range of platforms that Windows supports without the need for platform-specific code and development experience–while also providing a seamless interface and user experience, in Microsoft’s view.

Enhancements in Windows 8 that are clearly visible to users include Windows Defender, Smart Screen, and a more secure environment for Metro applications. The improvements can be divided into four areas: improvements to Windows antimalware components, declarative resource access, application vetting via the Microsoft Store, and restrictive resource access for applications. All of these will make the Metro environment significantly safer. At the same time, however, security risks from rogue applications and vulnerabilities in applications that interact with the web and handle user data leave lots of room for exploitation—not to mention ever-present malware on the desktop.

Technically the attack surface in Windows 8 is bigger than in Windows 7 because of various new components and changed processes, especially the Metro interface. Offsetting this are the significant checks and measures put in place as described in this paper.

Windows 8 brings together years of mature and revamped Microsoft technology. The Microsoft Account is essentially the Windows Live ID, the Metro interface supports Windows Phone 7 and the Xbox, and with the Windows Store Microsoft hopes to create an Apple Store-like market to complete the Windows 8 ecosystem.

The Interface

Metro offers a tile-style surface that supports both touch and traditional keyboard and mouse interfaces. The start screen of almost two decades of the Windows desktop has now been given a back seat in favor of the Metro start screen, which provides, among other things, “live tiles” that applications can update to show fresh status and an always connected experience for the users.

The Windows Metro interface uses tiles and supports both touch and keyboard and mouse.

The Windows Metro interface uses tiles and supports both touch and keyboard and mouse.

One significant change for the corporate environment is that there is no official way to disable the Metro interface from Windows 8. Another important change for users is that the new interface focuses on an immersive user experience. This means that operating system shell artifacts such as the taskbar or application menus are no longer visible. When a user opens an application, it uses the entire screen, allowing much more space and providing a fully involved experience.

Although it is possible to use the Metro interface with a keyboard and mouse or touchpad, the interface is clearly awkward. The latest releases of the Windows preview show various tweaks that make the usability of this interface more mouse/keyboard friendly, but the advantage of touch over traditional input interfaces in this interface is very apparent. This can possibly open a market for devices that will bridge this gap or create a completely new market for interface devices.

Metro’s weather application uses the entire screen.

Metro’s weather application uses the entire screen.

Internet Explorer 10

Another big change is that Internet Explorer (IE) 10 is now available in both Metro and desktop modes. This duality has advantages for backward compatibility.

Internet Explorer 10 in Metro mode takes over the screen.

Internet Explorer 10 in Metro mode takes over the screen.

In the Metro interface, IE runs in an immersion mode that provides full use of the screen space. The URL bar also becomes invisible. Here is what this looks like:

Windoes 8 Metro Internet Explorer 10 without address bar

Windows 8 Metro Internet Explorer 10 without the address bar.

This is quite different from the regular desktop interface, which looks not much different from the traditional IE:

Internet Explorer 10 in desktop mode looks like a traditional Windows application.

Internet Explorer 10 in desktop mode looks like a traditional Windows application.

With this immersive interface, users need to to expose the address bar before entering any credentials to avoid scams. The next two screens show a live phishing site in the Metro interface followed by the legitimate site:


Hard to tell them apart, isn’t it? Now compare both sites with the address bar visible, and you can spot the legitimate one. It has the green address bar and a lock icon indicating a secured SSL connection. We can also see that the fake site is not actually hosted on or but has as a subdomain to a nonpaypal domain.


A browser’s address bar has been a fundamental part of the user experience over the years, and it is still available with Windows 8. But in Metro the address bar will not always be visible; that can lead to trouble. We think the address bar should be visible when you are entering credentials.

Within the Metro interface, IE 10 will have no custom plug-in support; the desktop version will still work with plug-ins. The lack of Metro support is intended to improve performance, reliability, and security; those who need specialized plug-ins can use the desktop version to maintain compatibility.

With IE 10 in Metro mode, Microsoft has, with support from Adobe, introduced a limited version of the Flash player, removing many Flash functions but adding support for touch gestures. These tactile features should make using Flash more friendly with Metro. There might be a catch though: Within Metro, Flash doesn’t appear to work for all websites. Flash support will be enabled for a certain list of sites chosen by Microsoft. Flash games on the gaming site, for example, work in Metro, but a Flash file uploaded to one of our test sites that works with IE 10 in desktop mode did not work with IE 10 Metro.

IE 10 also introduces additional support for many new features, including HTML5, WebSockets, cross-domain messaging, postMessage, and support for Web Workers within JavaScript applications, to name a few. However, this support will unfortunately create an entirely new attack surface. Malware may require only active browser instances to start and propagate instead of executable control over the entire system. Proactive measures from antimalware solutions would be the most effective defense in this case because JavaScript is notoriously mutable, and executing JavaScript in a browser is more common for users than running downloaded applications on the desktop.

In future blogs we’ll examine the new interface, enhancements and risks in Windows 8, and securing applications. Stay tuned.


I’d like to thank my colleague Igor Muttik for his assistance with this analysis.

Judge Threatens New Sanctions Against Would-Be Facebook Owner

Paul Ceglia

Likening his legal tactics to a “fishing expedition,” a federal judge is threatening to impose more monetary sanctions against a Buffalo man who claims in a lawsuit that he owns half of Facebook.

Paul Ceglia alleges in a 2-year-old lawsuit that Facebook chief Mark Zuckerberg promised him half the company when Zuckerberg was a Harvard University student in 2003. Ceglia claims he has the e-mailed contract to prove it, while Zuckerberg claims it and other e-mails are fabricated.

At stake is control over the social-networking company that just went public, now with a $66 billion market cap.

Ceglia has already coughed up $97,000 in sanctions and fees for stonewalling an order to provide his passwords to e-mail accounts so Facebook’s forensics experts could examine them.

U.S. Magistrate Leslie Foschio on Thursday gave Ceglia’s legal team 10 days to explain why Ceglia shouldn’t pay fines because of his latest legal tactics. The various motions, including one to disqualify Facebook’s lawyers, “gives rise to more than suspicion that such motions were filed solely to unreasonably and vexatiously multiply the proceedings,” Foschio wrote.

What’s more, Foschio ordered Ceglia, of New York, to hand over a potentially damaging document that could explain why one of his eight law firms left the legal fight. Because of a procedural error, Foschio said the document is no longer privileged.

Facebook, the defendant in the case, believes the document “will establish that the Kasowitz law firm decided to withdraw as co-counsel for plaintiff upon learning that certain forensic experts retained by plaintiff had determined the contract is a forgery,” Foschio wrote. (.pdf)

Facebook’s experts say forensic evidence, including an examination of Ceglia’s hard drive, proves that Ceglia had forged e-mails and a 2003 contract between himself and Zuckerberg — a contract that is at the center of Ceglia’s New York federal court lawsuit. Zuckerberg has maintained that the contract only involved Ceglia hiring Zuckerberg to work on Ceglia’s then-StreetFax company nearly a decade ago.

Ceglia alleges the contract included fronting Zuckerberg $2,000 in exchange for half of Facebook when Zuckerberg was a young Harvard University computer science student.

Ceglia’s experts have concluded that the contract was “an authentic, unaltered document.” (.pdf)

Litigation is pending. No hearing date has been set.

Cisco Releases Security Advisory for WebEx Player

Cisco has released a security advisory to address vulnerabilities affecting the following products:

  • Cisco WebEx Recording Format (WRF)
  • Cisco Advanced Recording Format (ARF)

These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Cisco Security Advisory cisco-sa-20120627-webex and apply any necessary updates to help mitigate this risk.

This product is provided subject to this Notification and this Privacy & Use policy.