New malware technique targets intrusion-prevention systems

A recently discovered category of malware -- advanced evasion techniques -- can sneak through most intrusion-prevention systems to deliver even well-known exploits such as Sasser and Conficker to targeted machines without leaving a trace of how they got there, researchers say.

IPS performance tests show products must slow down for safety

CERTs in several countries have been sending out notices to dozens of IPS vendors to notify them of the threat so they can take measures to guard against AETs, according to the Finnish national CERT to which the discovery was brought by Stonesoft, the IPS vendor that discovered them.

CERT-FI has enlisted help of CERTs in other countries to help spread the word, says Jussi Eeronen, an information security advisor for CERT-FI. The goal is for vendors to upgrade their gear to handle AETs, he says.

AETs combine more than one known simple evasion technique that IPSs may actually be able to defend against individually, but the combination of them makes for a different beast that the IPSs cannot detect, says StoneSoft, maker of IPSs and other security gear, which discovered AETs.

AETs themselves don't do damage, but they bring stealth capabilities to malware that enables it to reach targeted systems, says Mark Boltz, senior solutions architect at Stonesoft. So far there is no evidence that AETs have been used in the wild, he says.

Evasion techniques have been known for more than a decade and most IPSs can defend against them, but using more than one at a time creates combinations that bypass current IPSs, Boltz says.

Mixing and matching pairs of the already known evasion techniques results in 2,180 possible AETs, Adding AETs that use more than two at a time makes the total number of possibilities even greater, as does the adding new simple evasion techniques to the known list, he says.

In Stonesoft tests, a set of AETs were used to conceal Conficker and Sasser worms, and they were sent against 10 of the industry-leading IPSs as ranked in Gartner's most recent Magic Quadrant for IPSs. None of these IPSs detected the AETs, Boltz says.

Stonesoft's own StoneGuard IPS can detect and block the attacks, he says.

Stonesoft's claims about AETs were validated by ICSA Labs, which allowed Stonesoft to run an attack over a VPN from Finland, using a Stonesoft tool. The attack had to pass defeat IPSs located at ICSA facilities in Pennsylvania, says Jack Walsh, ICSA's network IPS program manager.

Walsh says AETs generated by the tool successfully evaded the IPSs and made it possible for the Conficker worm to hit target Windows Servers with the CVE-2008-4250 vulnerability unpatched. Conficker was used because it is well known and IPSs by now should be able to recognize it if it isn't cloaked.

All of the IPSs tested failed to block at least some of the AETs, he says, including a version of Stonesoft's own IPS. Stonesoft claims its latest version can detect the AETs, Walsh says, but ICSA hasn't tested that.

An example of a simple evasion technique is IP fragmentation, Boltz says. Attackers fragment packets containing malware in hopes that IPSs won’t reassemble the packets, miss the malware they contain and pass them through. Today, most IPSs have engines that reassemble fragmented packets and screen them.

URL obfuscation is another example of a simple evasion in which a URL is altered slightly so it passes through an IPS but not so altered that the target machine can't use it, Boltz says. Many IPSs today can handle this as well, he says.

But in combination, some of these simple evasions can bypass IPSs, he says. And Stonesoft has come up with some new simple evasions that can be added to the mix. For instance, using a TCP/IP stack of their own design, Stonesoft researchers take advantage of TCP time-weight state, notification to receiving machines how long to leave open TCP ports in anticipation of further communication.

By connecting to a target machine and immediately shutting down the session, the TCP/IP stack can then start up a new session through the still-open ports and use it to transmit malware. Because the IPS has already checked the initial connection for proper handshake and state information, it allows subsequent traffic through. "This is a shortcut to make the IPS run faster," he says.

Stonesoft has been keeping its AET tool confidential, not allowing it to be copied to CERTS or even to ICSA for purposes of testing.

CERT-FI is going through the process of alerting vendors whose products might be affected by AETs in hopes they will take measures to defend against them, says Eeronen. As is usual with such notifications, CERT-FI is giving vendors time to act on its warning. Eventually, even if all the vendors have not upgraded to fight AETs, CERT-FI will make a formal advisory about them, he says.

"We talk to the vendors until we feel that delaying the case further won’t give us any more benefit," he says.

Stonesoft's announcement of AETs today is out of sync with CERT-FIs formally advisory, but he says that is because Stonesoft happens to be a vendor, not just a researcher. "This issue is a bit exceptional and they are a commercial entity with their own business interests," he says.

He says he hopes vendors can get fixes out by the end of the year. "Vendors have their own schedules," he says.Businesses that rely on IPSs should query their vendors about whether they are vulnerable to AEPs, Boltz says. In general, businesses should make sure their IPS software is kept updated and to be aware of what certifications the products have and what those certifications mean, says Walsh. A device may have ICSA certification, for example, but customers should check what test set the devices were tested agains, he says.

Read more about wide area network in Network World's Wide Area Network section.

Join the PC World newsletter!

Error: Please check your email address.

Tags securityntrusion-prevention systemsWide Area Networkmalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?