Whether known or unknown, this code has a specific purpose and is designed to be persistent and elusive. Persistence is gained through compromise at various levels within a target system or within various target systems across an organization.
Click Security RtSA Response
Tracking embedded malware typically involves time-consuming, advanced forensics to uncover the actual depth of the compromise. This all assumes, of course, that the compromise could even be detected at some link in the chain in order to spawn further analysis. Deep forensic studies could yield how the malware arrived, when it was executed, what was accomplished, and where it went next. The process of obtaining this data, while time consuming, is also difficult and costly in terms of hardware, software and resourcing. Identifying the depth of compromise in large enterprise environments can take weeks, and that is if everything goes well. By looking at the environment behaviorally, Click makes it easy to understand the path and depth of a complex compromise, conserving valuable time and resources throughout the investigative effort.
As an example, suppose you had a network infected with a variety of malware and the infected systems were communicating over covert command/control channels – either with the mothership, or with each other. If an analyst can simply find one infected system, fanout charts should quickly spotlight the remaining machines involved. Here is how. Find one infected system, let’s call it A. A phones home to the attacker's machine: Z. One layer of fanout shows A -> Z. But, perhaps there are many infected systems on the protected network all communicating with Z; let's say that B, C, and D are all communicating with Z. Two layers of fanout now give you A -> Z -> [B, C, D]. Next, you just discovered that B, C, and D are also infected. But, perhaps the attacker is also running a server at Y, and C communicated with Y at one time. Increasing the fanout to a third level shows the linkage between C and Y. Increasing the fanout a fourth level shows all the internal systems that have ever communicated with the malicious server Y. Fanouts allow you to keep drilling and drilling until no new linkages surface – resulting in identification of a complete collection of infected systems.