A recently discovered category of malware -- advanced evasion techniques (AETs) -- can sneak through most intrusion-prevention systems to deliver even well-known exploits such as Sasser and Conficker to targeted machines without leaving a trace of how they got there, researchers say.
CERTs in several countries have been sending out notices to dozens of IPS vendors to notify them of the threat so they can take measures to guard against AETs, according to the Finnish national CERT to which the discovery was brought by Stonesoft, the IPS vendor that discovered them.
CERT-FI has enlisted help of CERTs in other countries to help spread the word, says Jussi Eeronen, an information security advisor for CERT-FI. The goal is for vendors to upgrade their gear to handle AETs, he says.
AETs combine more than one known simple evasion technique that IPSs may actually be able to defend against individually, but the combination of them makes for a different beast that the IPSs cannot detect, says StoneSoft, maker of IPSs and other security gear, which discovered AETs.
AETs themselves don't do damage, but they bring stealth capabilities to malware that enables it to reach targeted systems, says Mark Boltz, senior solutions architect at Stonesoft. So far there is no evidence that AETs have been used in the wild, he says.
Evasion techniques have been known for more than a decade and most IPSs can defend against them, but using more than one at a time creates combinations that bypass current IPSs, Boltz says.
Mixing and matching pairs of the already known evasion techniques results in 2,180 possible AETs, Adding AETs that use more than two at a time makes the total number of possibilities even greater, as does the adding new simple evasion techniques to the known list, he says.
In Stonesoft tests, a set of AETs were used to conceal Conficker and Sasser worms, and they were sent against 10 of the industry-leading IPSs as ranked in Gartner's most recent Magic Quadrant for IPSs. None of these IPSs detected the AETs, Boltz says.
Stonesoft's own StoneGuard IPS can detect and block the attacks, he says.
Stonesoft's claims about AETs were validated by ICSA Labs, which allowed Stonesoft to run an attack over a VPN from Finland, using a Stonesoft tool. The attack had to pass defeat IPSs located at ICSA facilities in Pennsylvania, says Jack Walsh, ICSA's network IPS program manager.
Walsh says AETs generated by the tool successfully evaded the IPSs and made it possible for the Conficker worm to hit target Windows Servers with the CVE-2008-4250 vulnerability unpatched. Conficker was used because it is well known and IPSs by now should be able to recognize it if it isn't cloaked.
All of the IPSs tested failed to block at least some of the AETs, he says, including a version of Stonesoft's own IPS. Stonesoft claims its latest version can detect the AETs, Walsh says, but ICSA hasn't tested that.