Detecting Targeted Malware and Advanced Persistent Threats

When dealing with malware, typically your last line of defense is your antivirus.  In order for malware to slip past antivirus scanning software, the malware needs to first bypass your perimeter network defenses, such as Network Intrusion Prevention System (NIPS) and network firewall, as well as your Host Intrusion Prevention System (HIPS) and host based firewall.  Multiple layers of protection should block a large number of threats to your organization.

Typically, most of the malware which will bypass all of your security layers is targeted malware...never before seen in the wild.  If the malware is advanced enough, it will be able to slip past your heuristics defenses, and since it has never been seen in the wild, will go unnoticed by your signature based antivirus scans.

If you're fortunate enough to detect some sign of trouble, the first thing you should do is begin checking common malware load points.  Don't bother trying to look for the proverbial "needle in a haystack" and find the file which infected your system.  Be aware that there are only a few load points which will be used by malware, and begin your search there.



Norton has a wonderful Malware Removal Guide available which identifies the common load points of malware for Windows.  For your reference, I'll reproduce the list here:

Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Win logon
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKEY_CLASSES_ROOT\comfile\shell\open\command
HKEY_CLASSES_ROOT\piffile\shell\open\command
HKEY_CLASSES_ROOT\exefile\shell\open\command
HKEY_CLASSES_ROOT\txtfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Win logon

HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows
HKLM\SYSTEM\CurrentControlSet\Services\ (look for suspect services which don't belong)
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\

There are a few additional locations which could be used as malware load points:

Wininit.ini - In my experience it's rare for malware to use this as an infection point but it's possible.  Win.ini and system.ini are also possible. The files are located under c:\windows


Another more common load point is the Startup folder.  However, it's important to note that there are multiple Startup folders - User, Default User, and All Users.  These could be under c:\Documents and Settings, c:\Users, or c:\Windows.

Some "old fashioned" load points are autoexec.bat, config.sys, and the task scheduler.  The Norton article also mentions dosstart.bat, but that would most likely apply to only very old systems.

Additional locations which Norton doesn't mention should be checked are your network shares and network startup scripts.  It would be very possible that, should malware somehow gain administrative privileges (your users ARE using non-administrative accounts, right?), it could push a startup script to all of your systems, resulting in constant reinfection.  Autorun.inf on network shares would be another good indicator of a malware infection - and should provide valuable insight as to the inner workings of the malware.

Finally, don't fall for the "needle in a haystack" trap which Norton mentions of searching Windows and Temp folders.  While malware may reside there, it's important to realize that the malware has to be executed from somewhere.  Identify where the malware is being loaded at, then use that knowledge to identify the malicious files.

Should you find a piece of targeted malware, your best bet is to rebuild or re-image the affected systems.  You never know what additional "surprises" the malware has delivered.

Remember - the best way of dealing with an advanced persistent threat is not to be affected by one in the first place.  Follow best security practices, lock down your systems, apply multiple layers of protection.  And finally, don't allow your users to have local administrative rights - targeted malware can't infect a system as severely if the user isn't a local administrator in the first place.