Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Greg Shipley (gshipleyNEOHAPSIS.COM)
Date: Tue Apr 03 2001 - 08:39:56 CDT
On Tue, 3 Apr 2001, Vitaly Osipov wrote:
> I've seen some news stories like
> http://www.zdnet.co.uk/news/2001/13/ns-22021.html today - saying somebody
> called K2 from ADCrew presented on CanSecWest a program for IDS evasion (as
> far as I understand, though the descriptions are very vague). Has somebody
> been there and can shed a light on this? is really so c00l as news says or
> is it just another fragrouter? :)
K2 (from ADM) gave a presentation on polymorphic shell code. In a
nutshell, from what I can gather it's an API for exploit code that
can/will make it more difficult for some IDSs to detect buffer-overflow
based attacks. A lot of it depends on how/if it is adopted by exploit
code writers. Considering that ADM is responsible for a good chunk of the
exploit code out there, however, I wouldn't be surprised if this has
already been deployed in the wild previous to this conference.
I'm sure the hard-core IDS vendors on this list will have way more
comments on this subject, so I'll leave the details to them (if they care
to comment). While I thought the presentation and idea was definitely
creative, IMHO this is just another challenge for NIDS devices, albeit a
potentially rough one.
I believe Dragos said he'd put the presentations online.
If not, you might want to check out K2's page: