08:34 PM
Connect Directly

Startup Targets The Attackers Behind The APT

Former McAfee execs in new stealth venture will demonstrate an APT-type targeted attack against a smartphone at RSA Conference

Click here for more articles.

RSA CONFERENCE 2012 -- San Francisco, Calif. -- A former McAfee executive who spearheaded much of the security firm's advanced persistent threat (APT) research will demonstrate here tomorrow a targeted attack against a smartphone that uses an exploit created by his new startup.

Dmitri Alperovitch, who is CTO of CrowdStrike, a company still in stealth mode that he co-founded with former McAfee CTO and EVP George Kurtz, will show an exploit his team built using malware from an infamous Chinese remote access tool (RAT) used by APT-type attackers. The attack basically spies on and stalks an Android smartphone user's calls, physical location, apps, and data.

"We are trying to highlight that adversaries are going to do the same thing they do on a PC -- and repeating it on a mobile device," says George Kurtz, who is president and CEO of CrowdStrike. "A smartphone is always on, it's always with me, and it has voice, video, phone, a connection to my network, and my sensitive documents. It's always connected, and always has power. It's the ultimate spying tool if you can commandeer it."

Alperovitch and CrowdStrike's Adam Meyers, the former director of cybersecurity intelligence for SRA International, took a piece of Android malware generated by the RAT and reverse-engineered it to create their own RAT for the attack. "In one fell swoop we commandeered a RAT," Alperovitch says. "And we built our own command-and-control infrastructure for it."

The attack works like this: The attacker sends a phishing SMS message to the victim's smartphone, purporting to be from his mobile provider and saying it's time to renew his data plan by clicking an included URL. Once the victim clicks on the URL to "renew" his service, the phone is infected and the attacker gains root access to the smartphone, allowing it to bypass the app permissions step in the Android. It drops the RAT tool and starts the process of snooping on the user via his smartphone.

The attack uses a weaponized vulnerability in Webkit as well, and the RAT to gather GPS data and potentially record phone conversations. "It's an end-to-end mobile attack," Alperovitch says.

Alperovitch concedes that the attack was no small feat. The researchers also wrote their own shellcode on the phone; overall, it took about three weeks of reverse-engineering and exploit-writing to execute the attack just for the Android. Such an attack model could be used against any Webkit-based phones, including iOS, according to CrowdStrike.

"This is the way attacks have been operating in the PC world for a decade. It's probably already happening in mobile, but we don't have visibility in it because the apps can't see that deeply. We don't know the full scope of the situation," Alperovitch says.

CrowdStrike is focused on the attackers behind targeted attacks and, according to Kurtz, will use "big data" technologies to help businesses and governments protect their intellectual property from APTs. The company will drill down on the attributes and tactics of the attackers. CrowdStrike recently secured $26 million in Series A funding.

"You have an adversary problem, not a malware problem" in these attacks, Alperovitch says. "We were getting frustrated about the industry's way of solving the problem. It is looking at a gun or bullet as opposed to the shooter."

The key is to make it more costly for that human being sitting behind the exfiltration stage of the hack, Kurtz says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

Published: 2014-07-09
Adobe Flash Player before and 14.x before on Windows and OS X and before on Linux, Adobe AIR before on Android, Adobe AIR SDK before, and Adobe AIR SDK & Compiler before allow attackers to bypass intended access restrictions via uns...

Published: 2014-07-09
Adobe Flash Player before and 14.x before on Windows and OS X and before on Linux, Adobe AIR before on Android, Adobe AIR SDK before, and Adobe AIR SDK & Compiler before allow attackers to bypass intended access restrictions via uns...

Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.