How Threats Disguise Their Network Traffic
Threats have evolved to try and circumvent advances in analysis and detection. Every improvement by security vendors is met with a response from cybercriminals. Stuxnet, for example, paved the way for the other threat families to use the LNK vulnerability. Using Conficker/DOWNAD popularized the use of a domain generation algorithm (DGA). This is now used by other malware families as well, including ZeroAccess and TDSS.
The goal of these evasion techniques is simple: to avoid early detection and allow an attacker to establish a foothold on target machines.
In our paper Network Detection Evasion Methods, we discuss how some threats attempt to thwart detection by blending in with normal network traffic. This includes connections to Google and Microsoft Update, as well as traffic produced by popular instant messengers such as Yahoo! Messenger. Below are some of the remote access Trojans (RATs) we found to have used this method in an attempt to remain under the radar:
- FAKEM. This RAT is typically found in spear-phishing emails and was found to disguise its network communication to mimic Windows Live Messenger, Yahoo! Messenger, and HTML traffic among others.
- Mutator. Or Rodecap, which is reportedly associated with Stealrat botnet. It downloads Stealrat modules or components, and in some instances, may spoof its HTTP header by using “google.com” to blend with normal traffic.
While the list is not particularly long and the methods are simple, the paper shows the cybercriminals’ ability to adapt and upgrade their techniques. This stresses how they are continuously improving their methods and strategies to bypass network security in an attempt to take over systems and remain hidden from security researchers. For more information about these threats and tips on how to effectively detect malicious network traffic, you may read the full paper, Network Detection Evasion Methods: Blending with Legitimate Traffic.
Additional insights by Jessa De La Torre