[Fed-Talk] The APT that you do have
[Fed-Talk] The APT that you do have
- Subject: [Fed-Talk] The APT that you do have
- From: Todd Heberlein <email@hidden>
- Date: Thu, 15 Sep 2011 11:53:24 -0700
On Sep 15, 2011, at 9:04 AM, Pike, Michael (IHS/HQ) wrote:
> Parallels released an update yesterday, once installing the update the machines now function as normal...
>
> And to think I suspected someone of putting a keylogger in :)
It is not as far fetched conclusion to reach. Consider the following scenario:
(1) There is an executable buried several levels below your home directory, and you probably never knew it was there.
(2) It starts up at seemingly random times, but never shows up in your dock. You never know it runs. It stays under your radar.
(3) The developer is smart. When he originally wrote this piece of code he didn't know what he wanted to do on your system, so the code is really simple. It just "calls home" over an apparent normal web request to pull down new code. This way the hacker can run new executable code on your machine any time he wants.
(4) This freshly downloaded code starts up, downloads a bundle of files, and starts modifying your system. It replaces executable code you run regularly and changes numerous configuration files.
(5) Next, all the temporary files and the downloaded executable are all deleted, leaving no trace of their existence.
This is pretty much an ideal model for an Advanced Persistent Threat (APT), and it probably happens on a lot of your computers on a near daily basis. Although, in this case it is called "Google Chrome". Pretty much the only difference between Google Chrome and an APT is intent (this assumes Google's intent is benign).
I got so irritated at my system alerting so much on Google Chrome related activities I wrote a new feature to make it easier to screen its activities out.
So yes, there are a lot of weird things that happen on your system that can easily be malware or simply annoying, and sometimes it is hard to distinguish between the two cases.
Todd
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden