ZDNet UK / News and Analysis / Business of IT / IT Strategy

New tool camouflages hacker programs

By Staff, CNet, 22 April, 2002 09:11

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

Hacking, Firewall, Network Associates, fragroute, Viruses, Security

NEWS
A new tool for manipulating packets of data that travel over the Internet could allow attackers to camouflage malicious programs just enough to bypass many intrusion-detection systems and firewalls. The tool, called Fragroute, performs several techniques to fool the signature-based recognition systems used by many intrusion-detection systems and firewalls. Many of these duping techniques were outlined in a research paper published four years ago. Arbor Networks security researcher Dug Song posted the tool to his Web site this week. Arbor is a network protection company. "(Some) firewalls and intrusion prevention or other application-layer content-filtering devices have similar vulnerabilities that may be tested with Fragroute," Song wrote in a posting to security mailing list Bugtraq on Thursday. The new tool tips the arms race between those who look to break in to networks and those who defend them toward the attackers, at least for the moment. Any firewall or intrusion-detection system that fails the Fragroute test is vulnerable attack from vandals using the program. Song was travelling and could not be reached for comment, an Arbor representative said, and his company would not comment on the issue. The Fragroute program is a dual-use program: It illuminates weaknesses in a network's security -- information that can aid a system administrator in protecting the network or helping a hacker attack the network. The program exploits several ways of inserting specific data into a sequence of information to fool detection programs. The methods were highlighted in a January 1998 paper written by Thomas Ptacek and Timothy Newsham of security specialist Secure Networks, a company later bought by Network Associates. The program exploits intrusion-detection systems, which often check the correctness of incoming data less stringently than the server software that is typically targeted by hackers. In one version of such "insertion" attacks, a command sent to a server could be disguised by adding extraneous, illegitimate data. The targeted server software will throw away any bad data, leaving itself with a valid, but malicious, command. However, many intrusion-detection systems don't remove the corrupted data, so the hostile command remains disguised from the system's recognition functions. For example, an intrusion-detection system that watches out for a recent buffer overflow might recognise the attack by the text "http:///" appearing in the incoming data. However, if an attacker sends "http://somegarbagehere/" and knows that the "somegarbagehere" portion will be thrown out by the target computer, then the attack still works. Moreover, if the intrusion-detection system doesn't remove the same text portion as the server, it won't recognise the threat. Marti Roesch, president of security appliance seller SourceFire and the creator of the popular open-source intrusion-detection system Snort, said that the majority of the problems exploited by Fragroute have been fixed, and he plans to fix the rest by next week. "Dug contacted me about this stuff several months ago, and I fixed it," Roesch said. While he hasn't programmed a defence to every stealth attack that Fragroute has in its repertoire, doing so won't be hard, he added. "Many of these take 10 minutes of coding, max, to fix," he said. "It just wasn't an issue before." While many of the attacks won't work against Snort if it's configured properly, Roesch said that the default configuration doesn't detect the camouflaged data, because such settings produce a far greater number of false alarms. Some security aficionados posting to the Bugtraq list concentrated on Snort as a program vulnerable to the Fragroute program, but Song waved off the implied criticism on the open-source program in his posting. "Snort, I'd wager, does much better than most," he wrote, adding that many other proprietary programs are also vulnerable. One commercial software seller, network protection firm Internet Security Systems, claimed that its product, RealSecure, wasn't affected. "We initially fixed the fragmentation issues when we saw the paper quite some time ago," said Dan Ingevaldson, team lead for the company's security research and development group. His group tested Song's tool earlier this week, and they were still able to detect attacks, Ingevaldson said.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section. Have your say instantly, and see what others have said. Go to the Security forum. Let the editors know what you think in the Mailroom.

Related stories

Korean firm offers $100,000 in hacking competition

Heart of England NHS begins massive digitisation plan

Hard-drive woes hit PC shipments in fourth quarter

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

JCB33

How dare film makers, artists or anybody that invests in creativity stop us pirating their works for free. I want to be able to walk into my local...

2 hours ago by JCB33 on ACTA stumbles in Germany
Moley

@GrueMaster. I prefer horses for courses rather than one size fits all. I, and I suspect most other computer users, do not really wish to have...

4 hours ago by Moley on A tale of two distros: Ubuntu and Linux Mint
greycynic

The product that scares me every time I have to use it is the Office 2007 version of Excel. The first bug that I found was applying the median...

4 hours ago by greycynic on Ten flawed products that derail productivity
GrueMaster

Nice review and very informative. One thing I'd like to add (in reply to whs001's 1st question), the main reason to have the same interface from...

6 hours ago by GrueMaster on A tale of two distros: Ubuntu and Linux Mint
Frederick Wrigley

I'be been using Mint 12 since the RC came out, and I am far more happy with the Cinnamon, the Mate, and, yes (with extensions), theGnome 3...

6 hours ago by Frederick Wrigley via Facebook on A tale of two distros: Ubuntu and Linux Mint
bdantas

Excellent article. One small correction, though--although a fresh installation of Linux Mint 12 will, indeed, provide the user with a version of...

7 hours ago by bdantas on A tale of two distros: Ubuntu and Linux Mint
Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

8 hours ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

8 hours ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Moley

For Gnome 2 die-hards, it is possible to add icons to the bottom panel (or top top panel, if you prefer) which provide the exact Gnome 2...

8 hours ago by Moley on A tale of two distros: Ubuntu and Linux Mint
ramwellian

Your comments would seem pretty naive and immature. Your 'solution' appears to be, "gee, let's all just give in to the hackers and give them...

9 hours ago by ramwellian on Cloud computing security: no more oxymoron?
BugStalker

"Interesting thought ... If you installed Win7 as a dual boot on a machine that previously only had Linux, and it wrecked your Linux installation,...

9 hours ago by BugStalker on Windows 7 Declares War on GRUB
whs001

This is an excellent summary of Ubuntu and Mint and the interface differences between them. Most such articles take a very partisan position for...

9 hours ago by whs001 on A tale of two distros: Ubuntu and Linux Mint
Moley

@ewallace. Not so clear. Anyone can obtain the text, for example from here http://www.ustr.gov/webfm_send/2379. I support ACTA so long as it and...

9 hours ago by Moley on ACTA: Facts, misconceptions and questions
45283

I think WinRT is fantastic. I just wish it was an option for people that didn't want to go through Microsoft's App Store with its attendant...

12 hours ago by 45283 on Why Windows 8 needs architectural hygiene for WOA
Burn-IT

Nine people? £30m? Who's back pocket is that lot going in? And IF they say it is for new buildings, what about all the ones the government has...

14 hours ago by Burn-IT on Police set to launch three £30m e-crime hubs
ewallace

Just to be clear, nobody knows what is in the text of ACTA, here is a photograph of the text of ACTA http://twitpic.com/8h9iju as submitted to the...

14 hours ago by ewallace on ACTA: Facts, misconceptions and questions
fgvrg56

Unfortunately main issue is that ASUS is refusing to accept that they make some mistake on this version of asus Transformer prime. 1 - GPS sensor...

15 hours ago by fgvrg56 on Asus Eee Pad Transformer Prime Wi-Fi & GPS problems?
Ben Woods

@Marcus A fair question. Just talked with Archos which said it was working on an announcement for next week....

16 hours ago by Ben Woods on Archos confirms G9 Ice Cream Sandwich update schedule
Marcus Karlsson

Any update on this, considering the claimed "first week of February"?

17 hours ago by Marcus Karlsson via Facebook on Archos confirms G9 Ice Cream Sandwich update schedule
apexwm

Bill Goodrich : Just as al_langevin pointed out, with Windows Server 2008 there is no Services for Macintosh anymore. It's gone, not available....

1 day ago by apexwm on Windows Server 2008 drops the ball for Mac compatibility

Latest in IT Strategy

Heart of England NHS begins massive digitisation plan

Hard-drive woes hit PC shipments in fourth quarter

Featured white papers

How cloud adds strategy to IT outsourcing

SAVVIS

How cloud adds strategy to IT outsourcing

Thanks to cloud computing, IT outsourcing is back, but this time it can help both in cutting costs and helping the business... Read more

Tech breakthroughs to watch in 2012

ZDNet UK

Tech breakthroughs to watch in 2012

From invisibility cloaks to virtual atom smashing, from Cern to Nasa, this ZDNet UK guide presents the discoveries to watch in... Read more

Key trends driving global business resilience and risk

IBM

Key trends driving global business resilience and risk

This IBM research paper looks at how businesses are thinking more about business resilience by improving the ability to adapt to a continuously changing business... Read more

Inside ZDNet UK

A tale of two distros: Ubuntu and Linux Mint

A tale of two distros: Ubuntu and Linux Mint

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

BlackBerry Bold 9790

BlackBerry Bold 9790

Case study: How cloud enables growth

Case study: How cloud enables growth

Ten factors that make Ubuntu 11.10 a hit

Ten factors that make Ubuntu 11.10 a hit

Toshiba Portégé Z830-10P Review

Toshiba Portégé Z830-10P Review

BT's archive: Pictures from the vault

BT's archive: Pictures from the vault