The wave of APTs has grown and I think the name we are giving them should be changed. Rootkits, Worms and Virii have all been given evolutionary generations to represent leaps in capabilities. APTs are not an exception.

An APT is a piece of malware that exhibits the ability to live past AV/AM scans and cleaning, avoid IDS/IPS systems and use advanced techniques of both stealth and data exfiltration.

The combination of rootkit technologies into other forms of malware isn’t new, this started 10 years ago with worms using stealth technologies to subvert antivirus programs from finding them.

I feel we should be calling this class of malware evolution a Gen3 malware; An APT can infect like a virus, spread like a worm or be installed like a trojan. The next generation of malware is just around the corner.

In the wild we are seeing an increase of cryptoviruses using asymmetric cryptosystems to hide itself and spawn unique versions of itself to avoid signature based AV and IDS. We see an increase of Rootkit technologies capable of using physical and virtual hardware to hide itself and maintain control, we are seeing virii and worms using advanced polymorphism to generate new versions with different heuristics and signatures.

When Gen4 starts showing up it will likely be growing its reach into virtualization systems, embedded devices, cross-device infection (mobile-to-pc, or vise versa), and likely more capabilities.

Any time you label something “Advanced” you are setting a timer on when it will become commonplace, APTs are commonplace already, we need to use a genomic or evolutionary categorization of these hybrid malware and not slap an Advanced label on them because they don’t fit neatly into our existing catalogs.