New malware technique targets intrusion-prevention systems

A recently discovered category of malware -- advanced evasion techniques -- can sneak through most intrusion-prevention systems to deliver even well-known exploits such as Sasser and Conficker to targeted machines without leaving a trace of how they got there, researchers say.

A recently discovered category of malware -- advanced evasion techniques -- can sneak through most intrusion-prevention systems to deliver even well-known exploits such as Sasser and Conficker to targeted machines without leaving a trace of how they got there, researchers say.

IPS performance tests show products must slow down for safety

CERTs in several countries have been sending out notices to dozens of IPS vendors to notify them of the threat so they can take measures to guard against AETs, according to the Finnish national CERT to which the discovery was brought by Stonesoft, the IPS vendor that discovered them.

CERT-FI has enlisted help of CERTs in other countries to help spread the word, says Jussi Eeronen, an information security advisor for CERT-FI. The goal is for vendors to upgrade their gear to handle AETs, he says.

AETs combine more than one known simple evasion technique that IPSs may actually be able to defend against individually, but the combination of them makes for a different beast that the IPSs cannot detect, says StoneSoft, maker of IPSs and other security gear, which discovered AETs.

AETs themselves don't do damage, but they bring stealth capabilities to malware that enables it to reach targeted systems, says Mark Boltz, senior solutions architect at Stonesoft. So far there is no evidence that AETs have been used in the wild, he says.

Evasion techniques have been known for more than a decade and most IPSs can defend against them, but using more than one at a time creates combinations that bypass current IPSs, Boltz says.

Mixing and matching pairs of the already known evasion techniques results in 2,180 possible AETs, Adding AETs that use more than two at a time makes the total number of possibilities even greater, as does the adding new simple evasion techniques to the known list, he says.

In Stonesoft tests, a set of AETs were used to conceal Conficker and Sasser worms, and they were sent against 10 of the industry-leading IPSs as ranked in Gartner's most recent Magic Quadrant for IPSs. None of these IPSs detected the AETs, Boltz says.

Stonesoft's own StoneGuard IPS can detect and block the attacks, he says.

Stonesoft's claims about AETs were validated by ICSA Labs, which allowed Stonesoft to run an attack over a VPN from Finland, using a Stonesoft tool. The attack had to pass defeat IPSs located at ICSA facilities in Pennsylvania, says Jack Walsh, ICSA's network IPS program manager.

Walsh says AETs generated by the tool successfully evaded the IPSs and made it possible for the Conficker worm to hit target Windows Servers with the CVE-2008-4250 vulnerability unpatched. Conficker was used because it is well known and IPSs by now should be able to recognize it if it isn't cloaked.

All of the IPSs tested failed to block at least some of the AETs, he says, including a version of Stonesoft's own IPS. Stonesoft claims its latest version can detect the AETs, Walsh says, but ICSA hasn't tested that.

An example of a simple evasion technique is IP fragmentation, Boltz says. Attackers fragment packets containing malware in hopes that IPSs won’t reassemble the packets, miss the malware they contain and pass them through. Today, most IPSs have engines that reassemble fragmented packets and screen them.

URL obfuscation is another example of a simple evasion in which a URL is altered slightly so it passes through an IPS but not so altered that the target machine can't use it, Boltz says. Many IPSs today can handle this as well, he says.

But in combination, some of these simple evasions can bypass IPSs, he says. And Stonesoft has come up with some new simple evasions that can be added to the mix. For instance, using a TCP/IP stack of their own design, Stonesoft researchers take advantage of TCP time-weight state, notification to receiving machines how long to leave open TCP ports in anticipation of further communication.

By connecting to a target machine and immediately shutting down the session, the TCP/IP stack can then start up a new session through the still-open ports and use it to transmit malware. Because the IPS has already checked the initial connection for proper handshake and state information, it allows subsequent traffic through. "This is a shortcut to make the IPS run faster," he says.

Stonesoft has been keeping its AET tool confidential, not allowing it to be copied to CERTS or even to ICSA for purposes of testing.

CERT-FI is going through the process of alerting vendors whose products might be affected by AETs in hopes they will take measures to defend against them, says Eeronen. As is usual with such notifications, CERT-FI is giving vendors time to act on its warning. Eventually, even if all the vendors have not upgraded to fight AETs, CERT-FI will make a formal advisory about them, he says.

"We talk to the vendors until we feel that delaying the case further won’t give us any more benefit," he says.

Stonesoft's announcement of AETs today is out of sync with CERT-FIs formally advisory, but he says that is because Stonesoft happens to be a vendor, not just a researcher. "This issue is a bit exceptional and they are a commercial entity with their own business interests," he says.

He says he hopes vendors can get fixes out by the end of the year. "Vendors have their own schedules," he says.Businesses that rely on IPSs should query their vendors about whether they are vulnerable to AEPs, Boltz says. In general, businesses should make sure their IPS software is kept updated and to be aware of what certifications the products have and what those certifications mean, says Walsh. A device may have ICSA certification, for example, but customers should check what test set the devices were tested agains, he says.

Read more about wide area network in Network World's Wide Area Network section.

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies