Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Yet Another Way to Evade NIDS (and Spread Malware)

Created: 05 Nov 2007 08:00:00 GMT • Updated: 23 Jan 2014 18:44:55 GMT
Andrea DelMiglio's picture
0 0 Votes
Login to vote

Anonymous proxy services are onlineapplications that enable users to surf the Web with enhanced privacy.These applications act as an SSL proxy between the user and the Website to be visited, thus masking the IP address and providingadditional privacy features, such as referrer hiding, script removal,cookies removal, and URL encoding. Proxify is one provider of these services, but many more are available on the Internet.

Although we believe online privacy is something we always need to take care of,the use of these kinds of services could lead to trouble as well. Firstof all, the use of secure socket layer (SSL) prevents network intrusiondetection systems (NIDS) and most desktop-based intrusion preventionsystems (IPS) from checking those resources visited through the proxy,leaving the desktop antivirus with the full burden of protecting thecomputer. Then, in an enterprise environment, these systems can bypasssecurity policies through URL and traffic encoding, allowing internalusers to browse resources that would otherwise be restricted. Forexample, this could lead to users checking their private Web emails anddownloading those "funny jokes" sent by their friends, unfiltered bythe corporate network.

Finally, these services can actually be utilized pretty easily bythe bad guys to spread more malware. Again using Proxify as an example,let’s look at the system using a simple HEX encoding to mask thevisited URL.
Let’s assume an attacker has a working copy of MPack located on www.mpacksite.com.Using Proxify, this URL would become"https://proxify.com/p/011010A1000100/687474703a2f2f7777772e6d7061636b736974652e636f6d2f",where the string after the latter slash symbol is simply the initialURL, but HEX encoded. This URL can be used on any compromised Web sitewithin a standard iframe, letting attackers elude NIDS on a standardHTTP page.

Corporate users are encouraged to filter out known anonymous proxiesin order to prevent possible issues related to their use (and abuse).