OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dragos Ruiu (drKYX.NET)
Date: Tue Apr 03 2001 - 15:09:51 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I don't believe he monitors this list so I'm including him on the chain...

    ADMutate isn't a script kiddy tool, for sure, as it requires an undertanding
    of how an exploiit works despite the "helper" stuff that K2 has put in. But it
    is a good attack technique and does remove the ability to have a pure and
    "infallible" shellcode signature - a signature that I likened to a "defensive
    silver bullet" always means trouble, and never falses. I have to look at his
    newer code before I can comment further...

    cheers,
    --dr

    p.s. ......"just another fragrouter" ?.... I'm not sure how to take that....
            fragrouter was enough of a rpita for me. :-)

     On Tue, 03 Apr 2001, Bill Marquette wrote:
    > K2 did present ADMmutate...and yes, it is very cool (and a little frightening).
    > The basic premise behind it (I'll let K2 explain more if he's watching this
    > list) is that he uses virus like features to obfuscate the shellcode. ADMmutate
    > can be used on any existing shell code (any current exploit) and will encrypt
    > the shell code with a polymorphic decrypter. I would expect that the code will
    > be available for public release soon, you might even try K2's website
    > http://www.ktwo.ca. As the article mentions, it isn't "easy" to modify a
    > current exploit to use this, the point and click script kiddie will have to wait
    > until someone does it for them. The slightly above average skript kiddie won't
    > have that hard of a time modifying exploit code to use ADMmutate though.
    >
    > --Bill
    >
    >
    >
    > From: Vitaly Osipov <vosipovWOLFEGROUP.COM> on 04/03/2001 09:15 AM
    >
    > Please respond to Vitaly Osipov <vosipovWOLFEGROUP.COM>
    >
    > To: FOCUS-IDSSECURITYFOCUS.COM
    > cc:
    > Client:
    > Subject: CanSecWest and ADMutate
    >
    >
    >
    > I've seen some news stories like
    > http://www.zdnet.co.uk/news/2001/13/ns-22021.html today - saying somebody
    > called K2 from ADCrew presented on CanSecWest a program for IDS evasion (as
    > far as I understand, though the descriptions are very vague). Has somebody
    > been there and can shed a light on this? is really so c00l as news says or
    > is it just another fragrouter? :)
    >
    > regards,
    > W. 

    --
Dragos Ruiu <drdursec.com>   dursec.com ltd. / kyx.net - we're from the future
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc