Home / Blog / Advanced Evasion Techniques

Advanced Evasion Techniques

Posted on 05/28/2015, by Asier Martínez (INCIBE)
Advanced Evasion Techniques

The world of cybercrime, which is constantly evolving, took a significant step forward in 2010 with the introduction of methods known as advanced evasion techniques (AETs). This type of technique is the result of combining different strategies with the aim of preventing an attack from being detected by the different intrusion detection systems, mainly those related to the network traffic, such as the intrusion detection systems (IDS) or intrusion prevention system (IPS).

These mechanisms are mainly used in highly sophisticated attacks, such as in the case of some botnets and Advanced Persistent Threats (APTs), and they are a key part of these attacks, since they favour, amongst others, intrusion into the attacked systems and the exfiltration of sensitive information.

From the point of view of intrusion, the process mainly consists of fragmenting the malicious payloads and sending them through different protocols that are normally uncommon, so that once they have avoided the protections of the attacked system, they join together again and can continue with the process of compromising the system.

Técnicas de evasión avanzadas

From the exfiltration point of view, a practical example of AETs are the domain generation algorithms (DGA), a subject already addressed in the article Botnet resilience: botnets that are tough nuts to crack.

Instead of having the domains with which they must communicate specified in the malware code, many botnets incorporate a DGA system. This periodically generates a large number of domains using given criteria, sometimes even as many as 1,000 domains a day.

The malware checks whether these domains are accessible. If they are, it connects to them, so as to receive updates or instructions. The bot master, having created the algorithm, is able to predict the domains that will be generated. Thus, some of them are picked at random and registered in advance, subsequently activated, and finally de-activated when the communication with the nodes is completed.

This mechanism makes the task of malware analysts and security firms more difficult, as they have to do reverse engineering to grasp how the algorithm works. The aim is to prevent the malware from connecting to the command and control (C&C) server, or to get ahead of the bot master and register some domain so as to establish communication with the nodes.

DGA Zeus

Normally, the timestamp is used as the seed to generate domains. On occasion, though, a more original idea is used, as in the case of the Torpig Botnet, which uses trending topics from Twitter as the base for generating domains. Furthermore, with the aim of hiding this fraudulent traffic, they make requests to legitimate sites.

There are other examples of AETs, as in the case of using uncommon fields of some protocols, the obfuscation or encryption of transferred data, or some denial of service attacks. A clear example of the latter is when a network device slows down data processing, thus making it impossible to properly manage all of the traffic. This can cause the device to function in error mode and all of the traffic to be blocked or allowed.

To get an idea of the real danger of these techniques, it is important to bear in mind information such as that provided in the McAfee report Industry Experts Speak Out on Advanced Evasion Techniques, which indicates the following:

  • It is estimated that there are around 330,000 active AETs.
  • Less than 1% are detected by firewalls.

The risk of AETs is caused by the weaknesses and lack of flexibility in detection systems. Many perimeter protection devices today still mainly use statistical systems and detections based on signatures or patterns, and analyse the packets received; this protection is wholly inadequate for this type of threat. The creation of a detection model based on single signatures is completely unacceptable due to the potential combinations of the more than 200 known techniques of this type, around 1,000,000.

Moreover, these systems do not usually continually analyse the communication flow, but rather, do so fractionally, with the aim of optimising the resources required by the device, such as throughput and memory. This contributes to them being difficult to detect.

Despite it being 4 years since its introduction, there is not currently much knowledge about this type of threat, and as such, it is difficult to take measures to deal with it. However, various specialised tools are available that allow the response of our systems against them to be checked, such as Evader http://evader.mcafee.com/. Evader is a free cross-platform tool that allows us to carry out tests on the protection of network devices against AETs. Through this tool, it is possible to use different known and preconfigured exploits to test the system’s security and integrity. It also allows the manual testing of different AETs, as shown in the image below:


Some other useful tools of similar characteristics are: Fragroute, whisker, ADMmutate Evasion Tool, and even Metasploit.

It is essential that the different agents involved are aware of the risk posed by these threats, and make a great effort to investigate them, as well as taking the measures necessary to improve the security of certain systems, as may be the case with critical infrastructure. Their use is increasing nowadays and failure to take the appropriate measures may have devastating consequences.