AET – The Next Level

For some reason, not all security vendors acknowledge the reality, of possible existence of the Advanced Evasion Technique (AET). The question is, have AET’s actually been amongst us for some time now, delivering their adverse payloads to circumvent our trusted levels of perceived security?

To move forward, at times, it is necessary to look back, so a quick jump, and we find ourselves in the mid-eighties. It was in this era when the computer virus started to hit the headlines in the form of Brain, Cascade, Coffee Shop,  and of course good old Joshi. In those early days of green shoot malicious little bugs, I did some research, and reading up on the works of Mr Fred Cohen, and I was left with a concern as to what was to come. At that time I was working as the Computer Security Operative at a sensitive military unit, which has close ties with GCHQ, and CESG, so in pursuit of some smarty points, I thought it would be worth notifying the West Country of what looked like something that could have teeth. Imagine my surprise when I received a response which said ‘we do not consider the computer virus to be a lasting threat, and regard them (viruses) as a passing nuisance’ – If only!

Still in the world of the computer virus, post some research, and field testing I conducted, I developed some very simple techniques which could be utilised to encapsulate an infection deep inside various methodologies, which I then proved could be used to circumvent the majority of Anti-Virus applications – this research, and a finding I presented on at the Virus Bulleting Conference, Amsterdam, 1993 – was this an early example of an AET!

Around this same period, I decided to do a little experimentation with Operating Systems, and found that Command.com could be easily reversed engineered with the simple application of a Hex Editor.  This was by no means rocket science, but I was able to remove internal commands, replace them with hooks out to other potentially malicious applications, and to have a bit of fun, by allowing the user to make a directory, but just try to remove it – that internal command had been deleted. However, considering the adverse consequences this brought to the computing table, here was an attack which was not at that time detected by any security application, and by simply replacing the altered command.com onto the average DOS 6.0 disk set, a whole set of PC’s could be potentially compromised at time of install – this of course was never released, but just goes to show – could this have been yet another example of an early AET – I wonder!

Coming up to date, upon the occasion of Spam entering the world of computing, I had written a paper on the dangers of Spam, and in fact did attend a meeting at the House of Commons where I introduced my concerns about this new internet based transportation mechanism, which could be utilised to deliver adverse payload – unfortunately, just as with the early report of the computer virus, Spam was yet again considered just a nuisance – it was about 1 year later when that general opinion on this subject of Spam change!

When it comes to the modern day computing platforms, the circumstance of ‘something’ – which I would refer to as AET, do in my opinion host a significant level of reality, which could expose perimeter, and internal security to effect successful incursion, and system compromise. It is also the case that even if there are up to date, well maintained perimeter security devices in situ, there is no guarantee that they will detect, report, or block an AET attack.

It may be however that the very term AET is something that is unpalatable, and is not regarded as a real threat. However, in my experience, this is, yet again, just another example of denial of ‘something’ that is not that well understood – so let us call the AET ‘something’ to create a level of acceptability. But one thing is for sure, I feel they are here to stay, and possibly always have been, but are now more complex, and should be treated with the respect the deserve – go on, use a little imagination, it may be the only limitation that is hindering rare sense.
 

Comment on this blog