Security threat and response is a vicious circle of escalating (and increasingly cagey) attacks and sophisticated (and increasingly costly) defenses. The latest generation of malware includes deviously creative evasive techniques crafted to exploit ambiguities in the Internet’s underlying technology, flaws in network software stacks, and limitations of security appliances.
One example operates at the network-protocol level to bypass firewalls and intrusion-prevention systems by hiding malicious traffic within abnormal, but still compliant, TCP/IP packets. Another category works entirely within common applications using normal rules for web traffic. They don’t so much trick network security software as bypass it using HTML5 and embedded scripts to distribute malicious payloads. In this report, I discuss these techniques, how IT teams can test their level of exposure, and how to detect and block attacks using advanced packet normalization.