Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Rouland, Chris (ISSAtlanta) (CRoulandiss.net)
Date: Wed Apr 04 2001 - 18:40:25 CDT
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
-----BEGIN PGP SIGNED MESSAGE-----
ADMmutate Evasion Tool
A new IDS evasion tool was announced at the CanSecWest Security
Conference on March 30, 2001. The tool was written by 'K2' and is
called ADMmutate. ADMmutate is using a polymorphic technique designed
to circumvent certain forms of signature based intrusion detection.
All network based remote buffer overflow exploits have similarities in
how they function. ADMmutate has the ability to emulate the protocol
of the service the attacker is attempting to exploit. The data payload
(sometimes referred to as an egg) contains the instructions the
attacker wants to execute on the target machine. These eggs are
generally interchangeable and can be utilized in many different buffer
overflow exploits. ADMmutate uses several techniques to randomize the
contents of the egg in any given buffer overflow exploit. This
randomization effectively changes the content or 'signature' of the
exploit without changing the functionality of the exploit.
Many IDS systems detect buffer overflow exploits by using a string
matching signature of the actual exploit payload content. ADMmutate is
effective in circumventing these IDS systems.
ISS RealSecure uses different algorithms and methods of detection to
determine when a buffer overflow attack happens. These algorithms are
not affected by ADMmutate. ISS RealSecure has been confirmed as not
vulnerable to the ADMmutate tool.
ISS X-Force is researching adding additional algorithms to identify
both specific ADMmutate attacks and generic polymorphic attacks to be
provided in conjunction with the buffer overflow alert. Providing
this additional information can help identify the sophistication level
of an attacker.
ISS RealSecure has been confirmed as not vulnerable to the ADMmutate
When a new method to evade IDS appears, ISS X-Force researches and
augments our detection algorithms to identify these new methods and
techniques. X-Force regularly releases monthly X-Press Updates to
cover these issues and any new attacks. In case of a major issue,
X-Force has the option to release an emergency update. The IDS
technology is continuing to evolve at a rapid pace to protect against
any new evasive techniques and attacks. This ongoing vigilance adds
value to our entire protection solution.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5
-----END PGP SIGNATURE-----