New malware technique targets intrusion-prevention systems

A recently discovered category of malware -- advanced evasion techniques -- can sneak through most intrusion-prevention systems to deliver even well-known exploits such as Sasser and Conficker to targeted machines without leaving a trace of how they got there, researchers say.

IPS performance tests show products must slow down for safety

CERTs in several countries have been sending out notices to dozens of IPS vendors to notify them of the threat so they can take measures to guard against AETs, according to the Finnish national CERT to which the discovery was brought by Stonesoft, the IPS vendor that discovered them.

CERT-FI has enlisted help of CERTs in other countries to help spread the word, says Jussi Eeronen, an information security advisor for CERT-FI. The goal is for vendors to upgrade their gear to handle AETs, he says.

AETs combine more than one known simple evasion technique that IPSs may actually be able to defend against individually, but the combination of them makes for a different beast that the IPSs cannot detect, says StoneSoft, maker of IPSs and other security gear, which discovered AETs.

AETs themselves don't do damage, but they bring stealth capabilities to malware that enables it to reach targeted systems, says Mark Boltz, senior solutions architect at Stonesoft. So far there is no evidence that AETs have been used in the wild, he says.

Evasion techniques have been known for more than a decade and most IPSs can defend against them, but using more than one at a time creates combinations that bypass current IPSs, Boltz says.

Mixing and matching pairs of the already known evasion techniques results in 2,180 possible AETs, Adding AETs that use more than two at a time makes the total number of possibilities even greater, as does the adding new simple evasion techniques to the known list, he says.

In Stonesoft tests, a set of AETs were used to conceal Conficker and Sasser worms, and they were sent against 10 of the industry-leading IPSs as ranked in Gartner's most recent Magic Quadrant for IPSs. None of these IPSs detected the AETs, Boltz says.

Stonesoft's own StoneGuard IPS can detect and block the attacks, he says.

Stonesoft's claims about AETs were validated by ICSA Labs, which allowed Stonesoft to run an attack over a VPN from Finland, using a Stonesoft tool. The attack had to pass defeat IPSs located at ICSA facilities in Pennsylvania, says Jack Walsh, ICSA's network IPS program manager.

Walsh says AETs generated by the tool successfully evaded the IPSs and made it possible for the Conficker worm to hit target Windows Servers with the CVE-2008-4250 vulnerability unpatched. Conficker was used because it is well known and IPSs by now should be able to recognize it if it isn't cloaked.

All of the IPSs tested failed to block at least some of the AETs, he says, including a version of Stonesoft's own IPS. Stonesoft claims its latest version can detect the AETs, Walsh says, but ICSA hasn't tested that.

An example of a simple evasion technique is IP fragmentation, Boltz says. Attackers fragment packets containing malware in hopes that IPSs won’t reassemble the packets, miss the malware they contain and pass them through. Today, most IPSs have engines that reassemble fragmented packets and screen them.

URL obfuscation is another example of a simple evasion in which a URL is altered slightly so it passes through an IPS but not so altered that the target machine can't use it, Boltz says. Many IPSs today can handle this as well, he says.

But in combination, some of these simple evasions can bypass IPSs, he says. And Stonesoft has come up with some new simple evasions that can be added to the mix. For instance, using a TCP/IP stack of their own design, Stonesoft researchers take advantage of TCP time-weight state, notification to receiving machines how long to leave open TCP ports in anticipation of further communication.

By connecting to a target machine and immediately shutting down the session, the TCP/IP stack can then start up a new session through the still-open ports and use it to transmit malware. Because the IPS has already checked the initial connection for proper handshake and state information, it allows subsequent traffic through. "This is a shortcut to make the IPS run faster," he says.

Stonesoft has been keeping its AET tool confidential, not allowing it to be copied to CERTS or even to ICSA for purposes of testing.

CERT-FI is going through the process of alerting vendors whose products might be affected by AETs in hopes they will take measures to defend against them, says Eeronen. As is usual with such notifications, CERT-FI is giving vendors time to act on its warning. Eventually, even if all the vendors have not upgraded to fight AETs, CERT-FI will make a formal advisory about them, he says.

"We talk to the vendors until we feel that delaying the case further won’t give us any more benefit," he says.

Stonesoft's announcement of AETs today is out of sync with CERT-FIs formally advisory, but he says that is because Stonesoft happens to be a vendor, not just a researcher. "This issue is a bit exceptional and they are a commercial entity with their own business interests," he says.

He says he hopes vendors can get fixes out by the end of the year. "Vendors have their own schedules," he says.Businesses that rely on IPSs should query their vendors about whether they are vulnerable to AEPs, Boltz says. In general, businesses should make sure their IPS software is kept updated and to be aware of what certifications the products have and what those certifications mean, says Walsh. A device may have ICSA certification, for example, but customers should check what test set the devices were tested agains, he says.

Read more about wide area network in Network World's Wide Area Network section.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwareWide Area Networkntrusion-prevention systems

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Tim Greene

Tim Greene

Network World
Show Comments




Sony WH-1000XM4 Wireless Noise Cancelling Headphones

Learn more >


Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?