On Tue, 3 Apr 2001, Vitaly Osipov wrote:

> I've seen some news stories like
> http://www.zdnet.co.uk/news/2001/13/ns-22021.html today - saying somebody
> called K2 from ADCrew presented on CanSecWest a program for IDS evasion (as
> far as I understand, though the descriptions are very vague). Has somebody
> been there and can shed a light on this? is really so c00l as news says or
> is it just another fragrouter? :)

K2 (from ADM) gave a presentation on polymorphic shell code. In a
nutshell, from what I can gather it's an API for exploit code that
can/will make it more difficult for some IDSs to detect buffer-overflow
based attacks. A lot of it depends on how/if it is adopted by exploit
code writers. Considering that ADM is responsible for a good chunk of the
exploit code out there, however, I wouldn't be surprised if this has
already been deployed in the wild previous to this conference.

I'm sure the hard-core IDS vendors on this list will have way more
comments on this subject, so I'll leave the details to them (if they care
to comment). While I thought the presentation and idea was definitely
creative, IMHO this is just another challenge for NIDS devices, albeit a
potentially rough one.

I believe Dragos said he'd put the presentations online.

If not, you might want to check out K2's page:
http://www.ktwo.ca/

-Greg

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]