Packaged Malware Is Getting More Evasive, Warns McAfee

privacy hiding AET, kitten, cat layers blanket privacy surveillance © Koldunov Alexey Shutterstock

Security vendor believes AETs are a serious problem ignored by the majority of its competitiors

Cyber attackers are finding new ways to wrap their malware up and make it look innocent, but the security vendors are striking back. Last week, Intel Security subsidiary McAfee showed the media the scale of the problem – and demonstrated some tools that might help keep malware under control

Anyone who relies on conventional firewalls, with anti-virus scanning for known attack signatures, should think again, McAfee told journalists at the company’s Executive Briefing Centre in Amsterdam. Attackers can now package up malware so it will circumvent almost any firewall on the market – using what are known as Advanced Evasive Techniques (AETs).

Taking up this challenge is another Intel acquisition, Finnish security vendor Stonesoft (bought by McAfee in 2013). Stonesoft has produced ‘Evader’ – a free tool available to the public that tests various AETs. Alongside that, McAfee claims Stonesoft’s Next Generation Firewall (NGFW) is one of the few solutions that can spot AETs.

But the McAfee counter-attack is not perfect. The company says more research is needed and hopes to get more attention for AETs by publicising its work.

malware, advanced evasion technique hiding surveillance spying © Condor 36 shutterstockState of the art

Most current cyber security tools depend on malware signatures to figure out what kind of data is allowed to pass through the firewall. However, AETs cleverly conceal their signatures – they can disguise malware to look harmless, but arm itself once it gets inside the corporate network.

At their core, AETs are a transport mechanism. What they can do, for example, is split malicious code into small, benign-looking packets and send them one at a time. By the time the second packet arrives, the pattern-matching firewall has already deleted the first packet from its cache, and forgotten all about it. Since the firewall can’t match the pattern, the threat remains undetected.

AETs have been known as a theoretical concept for a while, and Stonesoft was among the first to spot the new generation of such techniques in 2010.

Faced with scepticism about the danger, Stonesoft created Evader, the world’s first software-based AET testing environment. It runs tests on old, well-known exploits like Conficker, as well as new threats. The tool pushes malware through simulated equipment from McAfee as well as that produced by several of its competitors, for example Cisco and Palo Alto Networks. This way, anyone can establish whether a particular vendor is trying to stop AETs.

Klaus Majewski at the McAfee Centre, AmsterdamIf the technical demo we’ve seen is to be believed, Evader is extremely efficient, able to smuggle malware past a firewall in seconds.

“This is not a hacker tool,” clarifies Klaus Majewski, director of Technology and NGFW Engineering at McAfee. “We didn’t want to do a hacker tool, but if we would, it might be interesting to have a metasploit – something that has a lot of exploits – wrap it in the evasion and hit the target. It could probably penetrate anything.”

“Originally, we developed it for our own testing, so that we can actually protect against it [AET]. Every Friday we at R&D update the competitor products with the latest patches and software upgrades, so we can see if somebody’s actually starting to fix something. And during the last two years we have seen some developments from some vendors.”

AET scanning slows your firewall

But here’s the problem: scanning for AETs is a resource-intensive process that completely ruins the performance of the firewall.

“Doing traffic normalisation correctly, so that it catches AETs, is a resource-intensive process that reduces the performance of traditional firewalls that have not been purposely designed to deal with AETs,” said Majewski.

“When McAfee NGFW was very first created, a low level traffic normalisation code was written into the design, as a means of enabling the firewall to carry out AET traffic normalisation correctly. However, many vendors have not prepared their firewalls with this code and as such, attempting to catch AETs slows down their firewalls.

“As the essential code was not written into the original design of many traditional firewalls, there is a risk that low level code changes could inadvertently affect other functions of the product. Consequently, many vendors are cautious about adding in the necessary functionalities retrospectively.”

And perhaps because attacks using AETs are hard to detect, they are still considered mythical beasts by many, not seen in the wild. After all, cyber criminals usually go the way of the least resistance, and there are easier ways to circumvent cyber protection than these advanced techniques.

“We are hoping for resolution for this – that’s the ethical point of view. In the meantime, we shamelesly use it for our benefit,” jokes Majewski.

Are you an Intel Insider? Try our Intel history quiz!