Tuesday, February 2, 2010

Is the term ‘malware’ eclipsed by ‘APT’?

I am wondering why we need to change the term 'malware' to 'APT'. APT stands for 'Advanced Persistent Threat' and the term was cooked up by the Department of Defense to describe malware that worked, as opposed to malware that got caught. The term APT has been in the press since the very public Google hacking incident. I like the term APT, but I still wonder why we need it. To its credit, APT is a great term because it accurately describes the problem. On the other hand, it also confuses people. It makes APT sound different and new, when in fact there nothing is new.

Many of us have been analyzing malware for years and functionally the malware today is just the same as it was three years ago, but back then we didn't call it APT. In general, this got me wondering why people change the terms used to describe something (for anything in life)? For this malware and APT thing the best I could come up with is that many existing security companies adopted the term 'malware' many years ago, and thus their product offerings become tightly associated with the word 'malware'. Over the last few years or so, as people within the DoD and elsewhere realized that existing security investment wasn't adequate to protect their network, instead of calling the investment a failure for missing the malware, they instead decided to call the missed malware by a new name. Think: "This isn't malware; it's something new, so of course the millions we've spent doesn't address it!". A stretch?

The fact is this - malware has always had the ability to be updated in the field, it has always been able to be remote controlled, and it has always had the ability to spawn a remote shell to a live attacker. And, it has always had the ability to scan the file-system for files like source-code and CAD drawings, and it has always had the ability to exfiltrate those files. At all times and without exception, these malware programs have been operated by real and persistent humans at the other end. The malware doesn't operate itself, it's not an automaton. For the last 365 days, I just called that malware.