October 27, 2010, 1:04 PM — Security vendor Stonesoft has come up with 26 more ways to beat most intrusion prevention systems without leaving a trace, making such advanced evasion techniques (AET) even more of a looming menace.
After announcing its discovery of 16 AETs last week, the company now says its researchers have come up with more of them and urges IPS vendors to take steps to combat the threat, which can sneak past IPSs undetected and deliver malware to vulnerable machines.
Because AETs slip through conventional defenses unnoticed, it's difficult to know how widely they are used in the real world if at all, says Mark Boltz, senior solutions architect at Stonesoft. "We do not have reason to believe that these tools are being widely used in the wild at this time," he says. "We have no proof one way or the other. They're difficult to detect."
Stonesoft says it keeps banging the drum about AETs because they are potentially so effective. Security vendors should work out defenses against them before they become more widespread. "We're trying to get vendors to be proactive rather than in the reactive state we tend to operate in as security professionals," he says.
One upside of the problem is that it is difficult to craft AETs that both evade detection by IPSs and that also successfully carry their malicious payload to targeted machines. "AETs are not for the faint of heart," he says. Stonesoft has developed a tool it won't release that it uses in its research to create AETs.
Stonesoft discussed AETs with analysts, researchers, customers and press during a conference call Tuesday.
One remedy Stonesoft suggests is a protocol normalizer, an engine within an IPS that reconstructs traffic that may contain AETs so that the traffic unambiguously follows protocol rules. This normalized traffic is then inspected by the IPS and if found to be clean, is passed through to the machine it is addressed to.
The problem with that is normalized traffic could differ enough from raw traffic that it never reaches the end machine or can't be understood by the end machine, says Samuel Gorton, a researcher with network security firm Skaion, who wrote about combining evasion techniques in 2003 and participated in the conference call.
Boltz agrees that normalizing traffic so target systems will still accept it is difficult. "That is the largest challenge to overcome at this point," he says. "There has to be an answer to that problem."