3. Physical Connections
A comparatively rare method of infection is by introducing the initial malware directly through a physical connection via a flash drive or similar device. The seminal victim is unwittingly tricked into installing the infected drive on his computer, thereby self-infecting the machine instantly.
Stage 2 - Download the Real APT
No matter the method used for infection, the first key action the initial malware performs is to download the real APT from a remote server. This real APT will be far more capable of carrying the malicious intent to fruition than will the initial infection, whose primary function is expressly to exploit known zero-day vulnerabilities.
Stage 3 - Spread and Call Home
Once downloaded and installed, the first thing the APT will do - assuming the initial malware has not already done so - is disable any antivirus or similar software running on the infected computer. Then the APT will typically gather some preliminary data from its computer victim and any connected local area network, and will then contact a Command & Control (C&C) server to discover what to do next.
The C&C instructions may involve anything across a wide range of options. In many cases the APT will be told to remain in place, quietly gathering data, and ask periodically for further instructions. If the C&C instructs the APT to spread the infection, the APT will frequently attach a zero-day exploit to files that its victim touches or edits rather than look for open/vulnerable computers. However, if the controllers are able to establish real-time two-way communication with the APT, the controllers can use clues gathered from the user's own files to identify the most promising avenues for further infection and instruct the APT to become more aggressive.
Stage 4 - Data Exfiltration
A successful APT will identify terabytes of data that the attackers will want to see. In some cases, the APT will simply export these data via the same C&C servers from which they received instructions, but in many cases the bandwidth and storage capacities of the intermediate servers may be insufficient to transmit the data in a timely fashion. Moreover, the more steps involved in transferring the data, the more likely that someone will notice. Consequently, the APT is far more apt to contact a different server directly, essentially a "dropbox," for the purpose of uploading all the data.
The impact of a DNS firewall
A DNS firewall can block, either temporarily or permanently, any of the stages noted in an ideal attack. One of the key weapons in the defence arsenal is that cybercriminals trust relatively few intermediate servers and networks. Consequently, these collusive servers and networks tend to get reused over and over again. Going back to the same well time and again heightens the chances that some, or all, of the server infrastructure used by the attackers can be "discovered and categorized" and, therefore, blocked. This infrastructure-specific insight gives a DNS firewall its strength and the ability to thwart APTs and similar malware.
Sign up for CIO Asia eNewsletters.