Startup Targets The Attackers Behind The APT

Click here for more articles.

RSA CONFERENCE 2012 -- San Francisco, Calif. -- A former McAfee executive who spearheaded much of the security firm's advanced persistent threat (APT) research will demonstrate here tomorrow a targeted attack against a smartphone that uses an exploit created by his new startup.

Dmitri Alperovitch, who is CTO of CrowdStrike, a company still in stealth mode that he co-founded with former McAfee CTO and EVP George Kurtz, will show an exploit his team built using malware from an infamous Chinese remote access tool (RAT) used by APT-type attackers. The attack basically spies on and stalks an Android smartphone user's calls, physical location, apps, and data.

"We are trying to highlight that adversaries are going to do the same thing they do on a PC -- and repeating it on a mobile device," says George Kurtz, who is president and CEO of CrowdStrike. "A smartphone is always on, it's always with me, and it has voice, video, phone, a connection to my network, and my sensitive documents. It's always connected, and always has power. It's the ultimate spying tool if you can commandeer it."

Alperovitch and CrowdStrike's Adam Meyers, the former director of cybersecurity intelligence for SRA International, took a piece of Android malware generated by the RAT and reverse-engineered it to create their own RAT for the attack. "In one fell swoop we commandeered a RAT," Alperovitch says. "And we built our own command-and-control infrastructure for it."

The attack works like this: The attacker sends a phishing SMS message to the victim's smartphone, purporting to be from his mobile provider and saying it's time to renew his data plan by clicking an included URL. Once the victim clicks on the URL to "renew" his service, the phone is infected and the attacker gains root access to the smartphone, allowing it to bypass the app permissions step in the Android. It drops the RAT tool and starts the process of snooping on the user via his smartphone.

The attack uses a weaponized vulnerability in Webkit as well, and the RAT to gather GPS data and potentially record phone conversations. "It's an end-to-end mobile attack," Alperovitch says.

Alperovitch concedes that the attack was no small feat. The researchers also wrote their own shellcode on the phone; overall, it took about three weeks of reverse-engineering and exploit-writing to execute the attack just for the Android. Such an attack model could be used against any Webkit-based phones, including iOS, according to CrowdStrike.

"This is the way attacks have been operating in the PC world for a decade. It's probably already happening in mobile, but we don't have visibility in it because the apps can't see that deeply. We don't know the full scope of the situation," Alperovitch says.

CrowdStrike is focused on the attackers behind targeted attacks and, according to Kurtz, will use "big data" technologies to help businesses and governments protect their intellectual property from APTs. The company will drill down on the attributes and tactics of the attackers. CrowdStrike recently secured $26 million in Series A funding.

"You have an adversary problem, not a malware problem" in these attacks, Alperovitch says. "We were getting frustrated about the industry's way of solving the problem. It is looking at a gun or bullet as opposed to the shooter."

The key is to make it more costly for that human being sitting behind the exfiltration stage of the hack, Kurtz says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.