Trend Micro Incorporated

Research Paper
2012

Detecting APT
Activity with Network
Traffic Analysis

Nart Villeneuve and

James Bennett
Contents

About This Paper................................................................................................................................... 1

Introduction............................................................................................................................................ 1
Detecting Remote Access Trojans.................................................................................................... 3
GhostNet......................................................................................................................................... 3
Nitro and RSA Breach..................................................................................................................4
Detecting Ongoing Campaigns.......................................................................................................... 5
Taidoor............................................................................................................................................. 5
IXESHE............................................................................................................................................. 5
Enfal aka Lurid............................................................................................................................... 6
Sykipot............................................................................................................................................. 7
Will Adversaries Adapt?......................................................................................................................8
Network-Based Detection Challenges..............................................................................................8
Trojan.Gmail....................................................................................................................................8
Trojan.Gtalk..................................................................................................................................... 9
Conclusion..............................................................................................................................................11
Trend Micro™ Deep Discovery in Focus..........................................................................................12
How Deep Discovery Works.......................................................................................................12
What Deep Discovery Detects...................................................................................................13

PAGE ii | DETECTING APT ACTIVITY WITH NETWORK TRAFFIC ANALYSIS

About This Paper Introduction

Today’s successful targeted attacks use a combination Targeted attacks or what have come to be known as
of social engineering, malware, and backdoor activities. “advanced persistent threats (APTs)” are extremely
This research paper will discuss how advanced detection successful. However, instead of focusing on the attack
techniques can be used to identify malware command-and- methods and effects to improve network defenses, many
control (C&C) communications related to these attacks, seem more concerned with debating whether they are
illustrating how even the most high-profile and successful “advanced” or not from a technical perspective. On one
attacks of the past few years could have been discovered. hand, some believe that the threat actors behind these
campaigns have mythical capabilities both in terms of
operational security and the exploits and malware tools
they use. In fact, they do not always use zero-day exploits
Trend Micro™ Deep Discovery advanced and often use older exploits and simple malware. Some,
threat protection solution utilizes the on the other hand, view the threats as pure hype conjured
techniques described in this paper and up by marketing departments even though they cannot
many more to detect malware and attacker explain why high-value targets worldwide suffer from
activities undetectable by conventional repeated, successful, and long-term compromises.
security solutions. See details in the final
section. While initial reports had a tendency to treat the cyber-
espionage networks they uncovered as an “attack” or a
“singular set of events,” it is becoming increasingly clear
that most targeted attacks are in fact part of ongoing
campaigns. They are consistent espionage campaigns—a
series of failed and successful attempts to compromise a
target over time—that aim to establish persistent, covert
presence in a target network so that information can be
extracted as needed. Careful monitoring and investigation
can help security researchers learn from the mistakes
attackers make, allowing us to get a glimpse into malicious
operations. In fact, we can track campaigns over time
by relying on a combination of technical and contextual
indicators. This paper focuses on using this threat
intelligence to detect APT activity with network traffic
analysis.

PAGE 1 | DETECTING APT ACTIVITY WITH NETWORK TRAFFIC ANALYSIS

While new executable files that cannot be detected In fact, most of the campaigns documented in highly
without new file signatures can be routinely created with publicized reports, including GhostNet and Nitro, and the
automated builders and embedded in documents designed RSA breach, employed malware with consistent indicators
to exploit vulnerabilities in popular office software, the that can be routinely detected by analyzing the network
traffic malware generated when communicating with a traffic produced as they communicate with C&C servers.
C&C server tends to remain consistent.1 This is likely due Moreover, activity related to other less-known but long-
in part to the considerable amount of effort required to running campaigns such as Taidoor, IXESHE, Enfal (aka
change a C&C protocol, including code changes in both “Lurid”), and Sykipot can also be consistently detected at
the malware and C&C server. By increasing awareness, the network level.
visibility, and information sharing, however, details of
these campaigns are beginning to emerge. A significant Despite being widely known and easy to detect, the
portion of these ongoing campaigns can be consistently malware used in these campaigns continue to effectively
detected with the aid of network indicators. While compromise targets worldwide. This paper reviews
detecting this kind of traffic requires prior knowledge several such cases and describes the network detection
or threat intelligence, network detection can effectively techniques that can uncover them.
defend against known threats. Network traffic can also
be correlated with other indicators in order to provide
proactive detection.2 In addition, proactive detection of
unknown threats can be further extended by extrapolating
methods and characteristics from known threat
communication behaviors to derive more generic and
aggressive indicators.

Although some APT activities will continue to leverage

never-before-seen malware, a significant number of
ongoing APT campaigns can still be consistently detected
with network indicators. While C&C domain names and
IP addresses will continue to change, making it difficult
to maintain a defense posture by blocking them alone,
network patterns are less subject to change.3

1 http://www.joestewart.org/csc07/defending-against-data-exfiltrating-
malware.odp
2 http://www.sans.edu/student-files/projects/JWP-Binde-McRee-
OConnor.pdf
3 Some techniques for building intelligence around IP addresses (found
in common ranges) and domain names (co-hosting on the same IP
address, registered by the same email address) exist but those are
beyond the scope of this research paper.
PAGE 2 | DETECTING APT ACTIVITY WITH NETWORK TRAFFIC ANALYSIS
Detecting Remote Access Trojans

GhostNet

The GhostNet C&C infrastructure was active in 2007 but

was terminated after it was publicly disclosed in 2009.4
The “Tracking GhostNet” report documented successful
intrusions into diplomatic entities worldwide, along with
the Dalai Lama’s office, international organizations, and Figure 3: Gh0st RAT, the second-stage malware used by the
news media. The GhostNet campaign involved two malware GhostNet attackers
components. The first-stage malware was dropped by
malicious documents and connected to C&C servers via IDS rules to detect Gh0st RAT have been in existence
HTTP on port 80. While the malware accessed a variety since at least 2008 and continue to be widely used.7 In
of C&C servers, it also used specific and consistent URL fact, the payload of a recent attack that delivered a Java
parameters that can be detected. exploit (i.e., CVE-2012-0507) through strategic website
compromises, including human rights sites, was Gh0st
RAT.8 While this attack maintained the signature “Gh0st”
header, other attacks leveraged a modified Gh0st RAT.
Figure 1: PHP version of a GhostNet request to a C&C server A variant in which the “Gh0st” header has been replaced
with “LURK0” was recently used in targeted attacks.9
Despite the modifications, however, Gh0st RAT can
still be consistently detected via the presence of the
Figure 2: ASP version of a GhostNet request to a C&C server five-character header followed 8 bytes later by a zlib
compression header. In addition, since ports 80 and
Details describing how the GhostNet malware operated 443 are often used for Gh0st RAT traffic protocol-aware
were published twice in 2008.5 Simple pattern matching detection, triggering an alert if the protocol on port 80 is
of URL paths within network traffic would have detected not HTTP can help detect this kind of traffic.
the malware beaconing to a C&C server. While the
significance of this malware was not fully understood until
the entire cyber-espionage network was exposed, it is Deep Discovery can detect the specific
understandable that creating intrusion detection system “Gh0st” and “LURK0” headers as well as
(IDS) rules based on such paths was probably not a high generically detect this kind of communication
priority for defenders at that time. by following the previously mentioned header
structure.
The second-stage malware the GhostNet attackers
deployed was the infamous Gh0st RAT.6 This well-known
remote access Trojan (RAT) produces easily identifiable
network traffic, which started with a “Gh0st” header.

7 http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20081211
8 http://community.websense.com/blogs/securitylabs/
4 http://www.nartv.org/mirror/ghostnet.pdf archive/2012/05/11/amnesty-international-uk-compromised.aspx and
5 http://www.datarescue.com/laboratory/trojan2008/index.html http://blog.shadowserver.org/2012/05/15/cyber-espionage-strategic-
and http://www.wired.com/images_blogs/threatlevel/files/mcafee_ web-compromises-trusted-websites-serving-dangerous-results/
security_journal_fall_2008.pdf 9 http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.
6 http://www.wired.com/images_blogs/threatlevel/files/mcafee_ pdf and http://blogs.norman.com/2011/security-research/invisible-ynk-
security_journal_fall_2008.pdf a-code-signing-conundrum
PAGE 3 | DETECTING APT ACTIVITY WITH NETWORK TRAFFIC ANALYSIS
Nitro and RSA Breach Detecting simply based on a request of 256 bytes will
yield false positives. This can, however, be combined
with protocol-aware detection. While the default port for
The Nitro attacks were documented in an October 2011 PoisonIvy is 3460, it is most commonly seen used on ports
report on a series of attacks that began in July 2011 80, 443, and 8080 as well. This traffic can generically
against companies in the chemical and motor sectors be detected by looking for a 256-byte outbound packet
as well as human rights nongovernmental organizations containing mostly non-ASCII data on the ports PoisonIvy
(NGOs).10 The attacks continued through December 2011 attackers commonly use. This helps reduce false positives
with the attackers actually using the report documenting but still broadly covers PoisonIvy variants as long as they
their activities as bait.11 The malware used in that case was use the said challenge request.
PoisonIvy, a widely available RAT.12

PoisonIvy was also used in the RSA breach albeit by

different actors.13 While the attack against RSA, which was
part of a campaign against many other organizations as
well, leveraged a zero-day Adobe Flash Player vulnerability
delivered via a Microsoft Excel spreadsheet, its ultimate
payload was simply PoisonIvy.14

The network traffic generated by PoisonIvy begins with

256 bytes of seemingly random data after a successful
TCP handshake. These bytes comprise a challenge request
to see if the “client” (i.e., the RAT controller) is configured
with password embedded in the “server” (i.e., the victim).

Figure 5: Most commonly used ports by PoisonIvy samples found

in Japan from 2008 to 2012

As shown in Figure 6, after the challenge response is

received, the client (i.e., controller) then sends 4 bytes
specifying the size of the machine code that it will send.
This value has consistently been “D0 15 00 00” for all
Figure 4: 256-byte challenge request from the RSA PoisonIvy samples we analyzed for this version of PoisonIvy. This
sample
makes a great additional indicator on top of the logic
previously described and significantly increases the
confidence level of the detection.
10 http://www.symantec.com/content/en/us/enterprise/media/security_
response/whitepapers/the_nitro_attacks.pdf
11 http://www.symantec.com/connect/blogs/nitro-attackers-have-some-
gall
12 Ironically, PoisonIvy was found to have vulnerabilities, which were
used to shed light on the operations of certain threat actors (see
https://media.blackhat.com/bh-eu-10/presentations/Dereszowski/
BlackHat-EU-2010-Dereszowski-Targeted-Attacks-slides.pdf).
13 http://blogs.rsa.com/rivner/anatomy-of-an-attack/
14 http://krebsonsecurity.com/2011/10/who-else-was-hit-by-the-rsa-
attackers/, http://blogs.gartner.com/avivah-litan/2011/04/01/rsa-
securid-attack-details-unveiled-they-should-have-known-better, and
http://www.f-secure.com/weblog/archives/00002226.html
PAGE 4 | DETECTING APT ACTIVITY WITH NETWORK TRAFFIC ANALYSIS
 Detecting Ongoing Campaigns

Taidoor

The Taidoor campaign has been actively engaging in

targeted attacks since at least 2008.16 Taidoor is typically
configured with three hard-coded C&C servers and three
ports. Communication with a C&C server is done over
HTTP. Content is protected using RC4 encryption. The
initial request to a C&C server follows the format, /{5
characters}.php?id={6 random numbers}{12 characters}.

Figure 6: Initial communication between a PoisonIvy server and

client

Figure 8: Taidoor network traffic

PoisonIvy also makes use of “keep-alive” requests that
are 48 bytes long. These requests appear to be always of
The last set of 12 characters refers to the victim’s MAC
the same length but their content differed depending on
address, which is encrypted using a custom algorithm that
the “password” with which the PosionIvy client/server is
basically increases the values in the address by 1. This
configured. The default password, “admin,” is consistently
is also used as encryption key. Taidoor traffic has been
detected.15
consistent since 2008 and is easily detectable.

Deep Discovery detects this communication

as previously specified.

Figure 7: 48-byte keep-alive request from the RSA PoisonIvy

sample
IXESHE
Deep Discovery takes all of the The IXESHE campaign has been active since at
aforementioned approaches to generic and least 2009.17 Upon installation, the malware starts
specific PoisonIvy detection, assigning the communicating with one of three C&C servers that can
appropriate severity rating depending on the be configured via three ports, usually 80, 443, and 8080.
confidence level of the detection. Network communications transpire over HTTP and follow
the format, /AWS[Numbers].jsp?[Custom Base64 Blob]. A
custom Base64 alphabet is used to encode content.
RATs such as Gh0st and PoisonIvy are widely available
and frequently used by APT actors but the traffic these
produce is easily detectable. In the Nitro and RSA cases,
the traffic was standard and easily detectable. These
attacks were, however, extremely successful. Figure 9: IXESHE network traffic

16 http://www.symantec.com/content/en/us/enterprise/media/
security_response/whitepapers/trojan_taidoor-targeting_think_tanks.
pdf and http://www.trendmicro.com/cloud-content/us/pdfs/security-
15 A variety of IDS rules available from http://emergingthreats.net/ intelligence/white-papers/wp_the_taidoor_campaign.pdf
covers various PoisonIvy keep-alive requests, including the default 17 http://www.trendmicro.com/cloud-content/us/pdfs/security-
admin request. intelligence/white-papers/wp_ixeshe.pdf
PAGE 5 | DETECTING APT ACTIVITY WITH NETWORK TRAFFIC ANALYSIS
Another instance of malware that is very similar to A newer version of the malware connects in a similar way,
that used in the IXESHE campaign was used in a sister /cgi-bin/CMS_SubitAll.cgi.
campaign that produces very similar network traffic
but slightly different file paths—“AES[numbers].jsp,”
“CES[numbers].jsp,” and “DES[numbers].jsp.”

Figure 10: IXESHE AES network traffic Figure 12: New Enfal variant’s network traffic that posts the
victim’s details to the C&C server
In some cases, compromised servers are hosted on target
organizations’ networks after successful infiltration. This In addition, we uncovered samples of the original version
means that network defenses placed at the perimeter of Enfal that operate in a nearly identical way apart from
will not detect standard IXESHE network traffic because using different file paths. In effect, Enfal was simply
communication occurs internally. The attackers can modified to connect to different file paths on the C&C
communicate through an alternate means with the server. Instead of the traditional POST request to /cg[a-z]-
internal C&C server in order to avoid detection. bin/Owpq4.cgi, these samples access /8jwpc/odw3ux.

Deep Discovery can detect both variations

of this communication but deployment and
visibility are factors to consider when dealing
with internally planted C&C servers.

Enfal aka Lurid

Figure 13: Original Enfal variant’s network traffic that posts the
victim’s details to the C&C server
Enfal, aka the “Lurid downloader,” has been used in
targeted attacks as far back as 2006 and continues to
Enfal, however, makes more than one connection to the
actively attack targets worldwide.18 Several versions of
C&C server. It also polls a file to see if any command has
the Enfal malware exist but the communication between a
been specified. Consistencies in Enfal’s connection to
compromised host and a C&C server remains consistent.
the C&C server in order to receive commands, however,
Older but still active versions of the malware make several
continue to allow detection of the malware’s network
consistent requests, including /cg[a-z]-bin/Owpq4.cgi.
traffic.

Figure 14: Enfal network traffic that checks if commands have

been specified

Figure 11: Enfal network traffic that posts the victim’s details to Enfal makes requests for files that contain any command
the C&C server that the attackers want the compromised computers to
execute.

18 http://www.trendmicro.com/cloud-content/us/pdfs/security-
intelligence/white-papers/wp_dissecting-lurid-apt.pdf, http://www.
secureworks.com/research/threats/sindigoo/, http://events.ccc.de/
congress/2007/Fahrplan/attachments/1008_Crouching_Powerpoint_ Figure 15: New Enfal variant’s network traffic that checks if
Hidden_Trojan_24C3.pdf, http://isc.sans.org/presentations/ commands have been specified
SANSFIRE2008-Is_Troy_Burning_Vanhorenbeeck.pdf, http://isc.sans.
edu/diary.html?storyid=4177, http://www.nartv.org/mirror/shadows-
in-the-cloud.pdf, http://wikileaks.org/cable/2009/04/09STATE32025.
html, and http://cablesearch.org/cable/view.php?id=08STATE116943
PAGE 6 | DETECTING APT ACTIVITY WITH NETWORK TRAFFIC ANALYSIS
These requests can be detected because they follow a In July 2012, new versions of the Sykipot malware were
specific format that includes two directories, followed detected. These connected via HTTPS with a different URL
by the hostname and MAC address of the compromised path documented by Alienvault, GET/get.asp?nm=index.
computer. This consistent pattern is still detected despite dat&hnm=[HOSTNAME]-[IP-ADDRESS]-[IDENTIFIER].22
modifications made to Enfal. The SSL certificate on the server, however, remained one
that could be detected using an already publicly published
Snort rule.
Deep Discovery detects these Enfal
communications using the various methods
previously described as well. Deep Discovery specifically detects the
SSL certificate Sykipot malware uses. In
addition, generically detecting suspicious
SSL certificates has proven quite useful at
Sykipot proactively detecting zero-day malware,
including the recently discovered Gauss
malware. Looking for default, random, or
The Sykipot campaign, which has been known by many
empty values in SSL certificate fields and
names over the years, can be traced back to 2007 and
restricting such detections to only certificates
possibly even 2006.19 The campaign became better
supplied by hosts outside an organization’s
known after the discovery of a zero-day exploit (i.e.,
monitored network provides a great balance
CVE-2011-2462) targeting U.S. Department of Defense
of proactive detection with manageable false
(DOD) smartcards.20 While older versions of Sykipot
positives.
malware communicated with a C&C server over HTTP,
newer versions have been seen using HTTPS, perhaps
because requests made to the C&C server consistently
use the format, /kys_allow_get.asp?name=getkys.kys, and,
therefore, detectable.

Figure 16: Sykipot network traffic

By 2008, Sykipot malware began communicating over

HTTPS, making them impossible to detect based on URL
path because that content was encrypted. Despite this
transition, however, the malware remained detectable at
the network level due to the use of consistent elements
within the Secure Sockets Layer (SSL) certificate.21

19 http://blog.trendmicro.com/the-sykipot-campaign/
20 http://labs.alienvault.com/labs/index.php/2012/when-the-apt-owns-
your-smart-cards-and-certs/
21 http://labs.alienvault.com/labs/index.php/2011/are-the-sykipots-
authors-obsessed-with-next-generation-us-drones/ 22 http://labs.alienvault.com/labs/index.php/2012/sykipot-is-back/
PAGE 7 | DETECTING APT ACTIVITY WITH NETWORK TRAFFIC ANALYSIS
Will Adversaries Adapt? Network-Based Detection Challenges

There is a consistent need to weigh the risks of revealing Two key factors pose challenges to network-based
enough information about APT campaigns to alert the detection—encryption and the cloud. The use of SSL
public and allow defenders to take corrective action and encryption evades detection based on patterns in URL
giving the threat actors behind attacks an understanding parameters and HTTP headers. The use of legitimate
of what is known about their operations and the services in the cloud, meanwhile, evades attempts to
opportunity to adapt. Information about these campaigns simply block access to known “bad” locations. Together,
can be effectively used without pushing threat actors to these two factors make detecting APT activity challenging.
adapt and evade detection. They have, for instance, made
the following changes: The use of these techniques is certainly not new. Such
techniques have been extensively used in typical criminal
• Targeted attacks that have been using Gh0st RAT operations. In the past, Twitter, Tumblr, Google Apps,
utilize modified versions wherein the “Gh0st” header Google Groups, and Facebook have all been used as
has been replaced by other five-character strings such malware C&C channels.23 It is not surprising, therefore,
as “LURK0.” This means that IDS rules that only match that APT attackers have also been using such services as
the “Gh0st” header can be evaded. C&C channels.

• IXESHE attackers have used internal compromised Trojan.Gmail

machines as C&C servers. This means that network
defenses placed at the perimeter will not detect
standard IXESHE network traffic because such In October 2010, contagiodump.blogspot.com posted a
communication occurs internally. sample of a targeted attack that leveraged a conference
on nuclear issues in South Korea.24 The email from a
• Enfal/Lurid users have begun changing the names of spoofed email address associated with the conference had
the files on their C&C servers. Generic patterns that a malicious PDF attachment.
allow for continued detection, however, still work.

• Sykipot users have switched from utilizing HTTP to

encrypted HTTPS communications. This means that
pattern matching based on the consistent URL path
Sykipot uses can be evaded. Newer versions of Sykipot
malware have also been seen using different URL
paths.

Although there have been some minor variations, the APT

campaigns and malware discussed in this paper have been
largely consistent over a number of years despite detailed
accounts in a variety of papers and reports. The changes
that have been made do affect network-based detection
but indicators that work despite these changes still exist,
albeit the possibility of generating more false positives.
Continued monitoring of these campaigns, however,
provides threat intelligence that can be effectively used to
begin detecting the modifications made by the attackers.
23 http://asert.arbornetworks.com/2009/08/twitter-based-botnet-
command-channel, http://asert.arbornetworks.com/2009/11/malicious-
google-appengine-used-as-a-cnc, http://blog.unmaskparasites.
com/2009/11/11/hackers-use-twitter-api-to-trigger-malicious-scripts,
http://www.symantec.com/connect/blogs/trojanwhitewell-what-s-
your-bot-facebook-status-today, and http://www.symantec.com/
connect/blogs/google-groups-trojan
24 http://contagiodump.blogspot.ca/2010/10/oct-08-cve-2010-2883-pdf-
nuclear.html
PAGE 8 | DETECTING APT ACTIVITY WITH NETWORK TRAFFIC ANALYSIS
 After execution, the malware logs in to a Gmail account
using the information supplied in syschk.ocx. The traffic
between the compromised computer and Gmail is SSL-
encrypted on port 443. This means that at the network
level, one can only observe encrypted traffic between the
host and Google’s servers.

Using Burp Proxy, however, one can analyze traffic

between the malware and Gmail. The malware logs in to
the Gmail account and sends an email whose content is
encrypted to another Gmail address. The content appears
to be the same as that of the file, form.ocx, which contains
a unique ID the malware assigns, the hostname and IP
address, the default home page of the default browser,
and a list of the programs installed in the computer. It then
connects to fuechei.chang.drivehq.com and downloads an
additional file called “rename.ocx,” which then renames
Figure 17: Targeted email attack sample posted on contagiodump. syschk.ocx to syschk.ocx1.25
blogspot.com
This type of malware poses challenges to traditional
The PDF attachment exploits an Adobe Reader network defenses because its C&C traffic is both encrypted
vulnerability (i.e., CVE-2010-2883) and drops a piece of and sent to a trusted source.
malware onto the target’s system that then creates two
files, namely:
Trojan.Gtalk
• C:\WINDOWS\system32\syschk.ocx
Trojan.Gtalk was discovered and documented by CyberESI
• C:\WINDOWS\system32\form.ocx in December 2011.26 This piece of malware uses a legitimate
program called “gloox,” a Jabber/XMPP client, to utilize
It also modifies the system’s Internet Explorer (IE) Gtalk as a C&C mechanism. Since Gtalk communication is
browser (i.e., C:\Program Files\Internet Explorer\ encrypted by default, the C&C communication is encrypted
iexplore.exe) so it runs every time the browser is opened. at the network level. In addition, this malware uses
Prior to exploitation, the MD5 hash of iexplore.exe is another layer of encryption so the content transmitted
b60dddd2d63ce41cb8c487fcfbb6419e. After exploitation, between a victim and the attacker is protected. Trojan.
this becomes 10eb6a3001376066533133a3d417c3b9. Gtalk has been used as both a first- and a second-stage
malware component.

The sample we analyzed was used as part of a multistage

component. The initial sample we discovered was an .EXE
file that opened a .PDF file after execution.

Figure 18: IE certificate before and after modification

25 Analysis of this malware when it was first discovered in 2010 is

available in http://www.nartv.org/2010/10/22/command-and-control-
in-the-cloud/.
26 http://www.cyberesi.com/2011/12/15/trojan-gtalk/
PAGE 9 | DETECTING APT ACTIVITY WITH NETWORK TRAFFIC ANALYSIS
 Various layers of encryption, along with the use of
Google’s Gtalk servers, make detection at the network
level challenging. Usual mechanisms such as matching
based on strings in URL paths or blocking domains and
IP addresses do not apply in this case. By abusing trusted
infrastructure, attackers are able to effectively conceal
their activities from network-based detection. The fake
.PNG file downloaded, which contains the Base64-encoded
URL, can, however, be detected as it is still requested using
plain HTTP.

Deep Discovery can detect such suspiciously

malformed images.

Figure 19: Decoy .PDF file opened after execution

The malware then connects to a server and requests for

the file, facebook.png, which contains Base64-encoded
commands to download additional components.

Figure 20: Request to download facebook.png

One of the commands contained within facebook.png

instructs the compromised computer to download date.gif,
a fake .GIF file that actually contains a version of Trojan.
Gtalk that has been encrypted with the Rijndael algorithm.

Figure 21: Decoded Base64 command to download Trojan.Gtalk

Once decrypted and executed, Trojan.Gtalk uses embedded

credentials to log in to an account and send and receive
communication from accounts on its contact list. The
malware receives encrypted messages, decodes and
executes these, then communicates results back to the
Gtalk account that issued the commands.

PAGE 10 | DETECTING APT ACTIVITY WITH NETWORK TRAFFIC ANALYSIS

Conclusion

The ability to detect APT activity at the network level • Timing and size: Since malware typically “beacon”
is heavily dependent on leveraging threat intelligence. to C&C servers at given intervals, monitoring
A variety of very successful ongoing campaigns consistent intervals for Domain Name System (DNS)
can be detected at the network level because their requests or requests to the same URL will help.28 As
communications remain consistent over time. more APT campaigns move from HTTP to HTTPS
Modifications made to malware’s network communications communications, as Sykipot did, communications may
can, however, disrupt the ability to detect them. As such, still be detected by analyzing traffic based on the
the ongoing development of threat intelligence based on “volume of transferred data, timing, or packet size.”29
increased visibility and information sharing is critical to Such requests can then be further investigated.
developing indicators used to detect such activity at the
network level. As adversaries adapt, more general methods can be
implemented to detect suspicious behaviors. While this
Trend Micro has also included more generic techniques may result in an increase in false positives, enterprises
in Deep Discovery, which have proven useful. While these that are consistently targeted by APT activity may wish
indicators may generate false positives, they will still to explore such options. Multiple ongoing APT campaigns,
help detect previously unknown malicious activity at the however, can be consistently detected at the network
network level: level. While exploits and binaries may be modified to
avoid detection, network traffic tends to remain constant.
• Protocol-aware detection: Many of the RATs used In such a case, it is possible to detect APT activity by
in targeted attacks use HTTP/HTTPS ports to leveraging threat intelligence in network traffic analysis.
communicate, often because only these ports are
open at the firewall level. This means that detecting
any non-HTTP traffic on port 80 or any non-HTTPS
traffic on port 443 flags potentially malicious traffic
for further investigation. While not conclusive, such
alerts can provide direction as to where to focus
investigative resources.

• HTTP headers: Many targeted campaigns use HTTP

for C&C communication but send requests using
application programming interface (API) calls that can
often be distinguished from typical browsing activity.
Analyzing HTTP headers can be a useful generic way
to detect malware communications.27

• Compressed archives: Attackers have been known to

use password-protected, compressed archives such
as .RAR files to exfiltrate data from compromised
networks. While it may generate a high level of false
positives, detecting such files that leave the network is
trivial.

28 http://www.splunk.com/web_assets/pdfs/secure/Splunk_for_APT_
Tech_Brief.pdf
27 http://sector.ca/sessions2011.htm#Rodrigo%20Montoro 29 https://anonymous-proxy-servers.net/paper/wpes11-panchenko.pdf
PAGE 11 | DETECTING APT ACTIVITY WITH NETWORK TRAFFIC ANALYSIS
Trend Micro™ Deep Discovery in Focus

Deep Discovery delivers the networkwide visibility, insight, • Advanced Threat Scan Engine
and control needed to detect and identify targeted attacks
in real time. It provides in-depth analysis and actionable • Combines traditional antivirus file scanning with
intelligence to immediately remediate threats and prevent new aggressive heuristic scanning techniques to
further damage. detect both known and unknown malware and
document exploits
Deep Discovery’s proven approach provides the best
detection with the fewest false positives by identifying • Trend Micro Smart Protection Network
malicious content, communications, and behavior across
every stage of the attack sequence. Through detection and • A global threat intelligence and reputation service
in-depth analysis of both advanced malware and evasive that correlates 16+ billion URL, email, and file
attacker behaviors, Deep Discovery provides enterprises queries daily
and government organizations a new level of visibility and
intelligence to combat APTs and targeted attacks across • Virtual Analyzer
the evolving computing environment.
• A virtualized threat sandbox analysis system that
How Deep Discovery Works uses customer-specific configurations to detect
and analyze malware

Deep Discovery uses a three-level detection scheme to As a result, Deep Discovery is able to detect malicious
perform initial detection, simulation and correlation, and, content and identify suspect communications.
ultimately, a final cross-correlation to discover “low-
and-slow” and other evasive activities discernible only
over an extended period of time. Specialized detection
and correlation engines provide the most accurate and
up-to-date protection aided by global threat intelligence
from the Trend Micro™ Smart Protection Network™
infrastructure and our dedicated threat researchers. The
result is a high detection rate, low false positives, and in-
depth incident reporting information designed to speed up
the containment of an attack.

Deep Discovery detects APTs through network traffic

analysis and correlation using the following core
technologies:

• Network Content Inspection Engine

• A deep packet inspection engine that performs

port-agnostic protocol detection, decoding,
decompression, and file extraction across
hundreds of protocols

PAGE 12 | DETECTING APT ACTIVITY WITH NETWORK TRAFFIC ANALYSIS

What Deep Discovery Detects

Attack Detection Detection Methods

Malicious content • Document exploits • Embedded file decoding and
• Drive-by downloads decompression
• Zero-day and known malware • Suspicious file sandbox simulation
• Browser exploit kit detection
• Malware (e.g., signature and
heuristic) scanning
Suspect communications • C&C communication for all types of • Destination (e.g., URL, IP address,
malware—bots, downloaders, data domain, email, Internet Relay Chat
stealers, worms, backdoors, RATs, [IRC], and channel) analysis via
and blended threats dynamic blacklisting and whitelisting
• Smart Protection Network URL
reputation checking
• Communication fingerprinting rule
use
• Comparison with suspicious and
known malicious SSL certificates
Attack behaviors • Malware activity (e.g., propagation, • Rule-based heuristic analysis
downloading, and spamming) • Identification and analysis of the
• Attacker activity (e.g., scanning, use of hundreds of protocols and
brute-forcing, and service applications, including HTTP-based
exploitation) applications
• Data exfiltration • Behavior fingerprinting rule use

TREND MICRO™ TREND MICRO INC.

Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cloud security 10101 N. De Anza Blvd.
leader, creates a world safe for exchanging digital information with its In- Cupertino, CA 95014
ternet content security and threat management solutions for businesses
and consumers. A pioneer in server security with over U.S. toll free: 1 +800.228.5651
20 years’ experience, we deliver top-ranked client, server and cloud- Phone: 1 +408.257.1500
based security that fits our customers’ and partners’ needs, stops Fax: 1 +408.257.2003
new threats faster, and protects data in physical, virtualized and cloud www.trendmicro.com
environments. Powered by the industry-leading Trend Micro™ Smart Pro-
tection Network™ cloud computing security infrastructure, our products
and services stop threats where they emerge—from the Internet. They are
supported by 1,000+ threat intelligence experts around the globe.

©2012 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company
names may be trademarks or registered trademarks of their owners.

PAGE 13 | DETECTING APT ACTIVITY WITH NETWORK TRAFFIC ANALYSIS