Skip to main content

Red alert in cyber war

Published on 18/03/2015 in Tech, tips & tricks

Red alert in cyber war

‘Advanced Persistent Threats’ is the buzzword in the world of security today. But how do these threats work? Bart Callens, Product Manager ICT Security at Proximus, explains.

The first step of advanced malware is to target a victim (an individual or organization) and send some malicious or phishing mail or infect (so-called waterholing) websites. This is known to most of us. But what happens next is scarier.

The second step is to bypass your protection mechanisms. You may have firewalls, antivirus systems, proxy servers and so on. They scan whatever passes by to find ‘signatures’. These are typical pieces of code that can harm computers. The trick is to hide the malicious code. Today’s attackers split up the code over different pieces of content: Javascript on the webpage with a little piece in the picture in jpeg and a little piece in a bitmap separator line or sometimes in a font of MS Office. Once downloaded, one of the pieces will use a weakness in the software to activate itself and reassemble itself. At this stage we have the ‘shell-code’ as it’s known: software hiding some other software. The final step here is to decipher itself, or even to download, with regular FTP, the real malware.

The next step is to nest itself deeply in the software on the computer. The malware checks it is not running in a ‘sandboxed’ environment. The first thing it has to do is get administrator rights by using a vulnerability in the OS. Then the malware can hide itself on the disk, in the registry, in applications, in documents or even in the bios or in firmware. The malware will also ensure it can restart every time the computer is restarted. The malware will also ensure it cannot be erased by nesting itself deep in the OS. You will need to perform a hard reinitialization and reformatting of the hard disk to completely wipe out the virus. In order to be 100% sure malware doesn’t come up again, you may be forced to destroy your existing hardware. Another trick to avoid easy erasure is to spread itself to other computers, where the process starts all over again. Also, advanced forms of encryption of related network traffic are used in order to stay under the radar. Finally, if the attacker, from its command and control center, suspects that the malware is going to be detected, it may command the malware to go to sleep or even completely erase itself and all traces of itself.

The final stage is the evil-doing stage. This may be the exportation of the targeted sensitive data. This involves getting in touch with the command center, where the evil-doer will give a ‘go’ to do what the malware was originally intended for, most of the time this is about the exfilitration of sensitive or financial information, but it could also involve other harmful actions such as wiping the disk, executing a denial of service attack on a given target, destroying whatever is connected to the computer, etc. The malware may be sitting there for months before it is triggered by the command center.

Is there a solution to this? Advanced malware is disguising itself very well, so it becomes impossible to rely only on end-user vigilance or standard security solutions. The only way to defend your computer is to make sure your security solutions track all emerging threats and by complementing your existing prevention technologies with advanced detection and incident response. As this requires advanced security skills, your best bet may to rely on managed security services from organizations that deliver continuous security on a real-time, 24/7 basis.


One magazine is the Proximus B2B magazine for CIOs and IT professionals in large and medium-sized organisations.

Other articles from One

Blog topics


Contact us

Our employees are ready to help you!