Walsh says AETs generated by the tool successfully evaded the IPSs and made it possible for the Conficker worm to hit target Windows Servers with the CVE-2008-4250 vulnerability unpatched. Conficker was used because it is well known and IPSs by now should be able to recognize it if it isn't cloaked.
All of the IPSs tested failed to block at least some of the AETs, he says, including a version of Stonesoft's own IPS. Stonesoft claims its latest version can detect the AETs, Walsh says, but ICSA hasn't tested that.
An example of a simple evasion technique is IP fragmentation, Boltz says. Attackers fragment packets containing malware in hopes that IPSs won't reassemble the packets, miss the malware they contain and pass them through. Today, most IPSs have engines that reassemble fragmented packets and screen them.
URL obfuscation is another example of a simple evasion in which a URL is altered slightly so it passes through an IPS but not so altered that the target machine can't use it, Boltz says. Many IPSs today can handle this as well, he says.
But in combination, some of these simple evasions can bypass IPSs, he says. And Stonesoft has come up with some new simple evasions that can be added to the mix. For instance, using a TCP/IP stack of their own design, Stonesoft researchers take advantage of TCP time-weight state, notification to receiving machines how long to leave open TCP ports in anticipation of further communication.
By connecting to a target machine and immediately shutting down the session, the TCP/IP stack can then start up a new session through the still-open ports and use it to transmit malware. Because the IPS has already checked the initial connection for proper handshake and state information, it allows subsequent traffic through. "This is a shortcut to make the IPS run faster," he says.
Stonesoft has been keeping its AET tool confidential, not allowing it to be copied to CERTS or even to ICSA for purposes of testing.
CERT-FI is going through the process of alerting vendors whose products might be affected by AETs in hopes they will take measures to defend against them, says Eeronen. As is usual with such notifications, CERT-FI is giving vendors time to act on its warning. Eventually, even if all the vendors have not upgraded to fight AETs, CERT-FI will make a formal advisory about them, he says.
"We talk to the vendors until we feel that delaying the case further won't give us any more benefit," he says.
Stonesoft's announcement of AETs today is out of sync with CERT-FIs formally advisory, but he says that is because Stonesoft happens to be a vendor, not just a researcher. "This issue is a bit exceptional and they are a commercial entity with their own business interests," he says.