FireEye Labs has released a set of tools with the sole purpose of helping organisations detect and examine infections by the Poison Ivy RAT. Cleverly called Calamine, this collection of free tools promises to give security professionals the opportunity to identify the indicators of a Poison Ivy attack including the process mutex and password, decoded command and control traffic and a malware activity timeline.

By connecting these facets of the attack, and correlating them with multiple attacks displaying similar identifying features, FireEye hopes that the bad guys can be better profiled and combining big-picture intelligence with granular evidential detail organisational IT defence can be enhanced.

Now you might be thinking that Poison Ivy is old news, after all this particular Remote Access Trojan is not only considered the stuff of script kiddie n00b hackers but at eight years of age it's also been around long enough to be well and truly in the detection radar. Yet FireEye Labs research suggests quite the opposite, having discovered it to be at the heart of such big breaches as a RSA SecurID data attack in 2011 and insisting it has evidence of Poison Ivy being involved in "hundreds of attacks" that target very high profile enterprises.

Attacks involving several ongoing nation-state threat 'actors' identified by FireEye such as:

  • admin@338: Active since 2008, this actor mostly targets the financial services industry. FireEye has also observed activity from this actor in telecom, government, and defense sectors.
  • th3bug: First detected in 2009, FireEye has observed this actor targeting a number of industries, primarily higher education and health care.
  • menuPass: Also first detected in 2009, FireEye research suggests that this actor targets U.S. and overseas defense contractors.

Darien Kindlund, manager of threat intelligence at FireEye, says "Understanding why Poison Ivy remains one of the most widely used RATs is easy. Controlled through a familiar Windows interface, it offers a bevy of handy features: key logging, screen capture, video capturing, file transfers, password theft, system administration, traffic relaying, and more."


Edited by happygeek: unstuck

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.