In targeted attacks, he said, eventually, “somebody puts their fingers to the keyboard,” and begins to exhibit behavior that can be tracked and analyzed. “Malicious behaviors are similar across platforms,” he said. “You’re looking for flow patterns at the packet level. It’s a whole sequence that causes the algorithm to fire.”
He cited the example of a remote-access Trojan (RAT) called GlassRAT that went undetected for several years until RSA discovered and reported on it late last year.
It targeted Chinese nationals associated with large, multinational corporations.
It escaped detection by antivirus tools, “and was highly successful at avoiding signatures,” Banic said, “but when we investigated it, the algorithm fired within 15 minutes.”
Sign up for CIO Asia eNewsletters.