OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Rouland, Chris (ISSAtlanta) (CRoulandiss.net)
Date: Wed Apr 04 2001 - 18:40:25 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
    majordomoiss.net Contact issforum-owneriss.net for help with any problems!
    ----------------------------------------------------------------------------

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ADMmutate Evasion Tool

    A new IDS evasion tool was announced at the CanSecWest Security
    Conference on March 30, 2001. The tool was written by 'K2' and is
    called ADMmutate. ADMmutate is using a polymorphic technique designed
    to circumvent certain forms of signature based intrusion detection.

    All network based remote buffer overflow exploits have similarities in
    how they function. ADMmutate has the ability to emulate the protocol
    of the service the attacker is attempting to exploit. The data payload
    (sometimes referred to as an egg) contains the instructions the
    attacker wants to execute on the target machine. These eggs are
    generally interchangeable and can be utilized in many different buffer
    overflow exploits. ADMmutate uses several techniques to randomize the
    contents of the egg in any given buffer overflow exploit. This
    randomization effectively changes the content or 'signature' of the
    exploit without changing the functionality of the exploit.

    Many IDS systems detect buffer overflow exploits by using a string
    matching signature of the actual exploit payload content. ADMmutate is
    effective in circumventing these IDS systems.

    ISS RealSecure uses different algorithms and methods of detection to
    determine when a buffer overflow attack happens. These algorithms are
    not affected by ADMmutate. ISS RealSecure has been confirmed as not
    vulnerable to the ADMmutate tool.

    ISS X-Force is researching adding additional algorithms to identify
    both specific ADMmutate attacks and generic polymorphic attacks to be
    provided in conjunction with the buffer overflow alert. Providing
    this additional information can help identify the sophistication level
    of an attacker.

    Conclusion:

    ISS RealSecure has been confirmed as not vulnerable to the ADMmutate
    evasive technique.

    When a new method to evade IDS appears, ISS X-Force researches and
    augments our detection algorithms to identify these new methods and
    techniques. X-Force regularly releases monthly X-Press Updates to
    cover these issues and any new attacks. In case of a major issue,
    X-Force has the option to release an emergency update. The IDS
    technology is continuing to evolve at a rapid pace to protect against
    any new evasive techniques and attacks. This ongoing vigilance adds
    value to our entire protection solution.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5

    iQA/AwUBOsuws9/TKefTUYbMEQIR5gCgojR8yAamp/PzzQvctMUzhdvv47kAoKiy
    ZHWmKYaQCFSA0cbYKX9z27ix
    =dBt4
    -----END PGP SIGNATURE-----