OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Andrew R. Reiter (arrWATSON.ORG)
Date: Wed Apr 04 2001 - 00:37:19 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I fully agree with Dragos on this point. Some IDS intrustion discovery
    techniques rely on "shellcode signatures." This will cause a greater deal
    of trouble because of the current means of recognizing these signatures..

    for example, if a signature was meant to recognize an attack by seeing a
    bunch of x86 nops (0x90), or perhaps a certain set of byte values, this
    would bypass the rule. Imagine if an IDS system had to match up to N
    number of different types of nops to say it's an attack... perhaps the
    IDS was effective enough to say that if it saw two of the preknown (out of
    N possibilities) nop values, that are introduced by the ADMMutate code,
    that then causes a HUGE performance hit as there are 27^2 (man, im bad at
    math this could be wrong) possibilities to check for... This is a problem.

    Really to defeat this type of attack we need to decide on a greater
    abstraction on these events. We need not to say "if data matches X we
    alert," but rather say "if data seems like X, we alert"...

    I think this brings another issue of something I've been discussing, with
    a few random people, relating the idea of AI and host + network IDSs...
    Levels of alertness (LoA's I guess we'll call them).

    These LoA's which would be produced by a HIDS or a NIDS would be compiled
    by a IDS engine to say "Ok, these X number of LoA's mean a certain S"
    where X is the number of LoA's gathered over a certain period of time and
    S meaning a current state of understanding as to what the LoA's compiled
    mean.

    This is a HUGE performance hit... but in my mind is the only solution to
    such issues as polymorphic shellcode.

    -- ABSTRACTING AN ATTACK TO THE GREATEST DEGREE --

    ..excuse the rambling...hit the bar & had some food etc etc :-)

    Andrew

    On Tue, 3 Apr 2001, Dragos Ruiu wrote:

    > I don't believe he monitors this list so I'm including him on the chain...
    >
    > ADMutate isn't a script kiddy tool, for sure, as it requires an undertanding
    > of how an exploiit works despite the "helper" stuff that K2 has put in. But it
    > is a good attack technique and does remove the ability to have a pure and
    > "infallible" shellcode signature - a signature that I likened to a "defensive
    > silver bullet" always means trouble, and never falses. I have to look at his
    > newer code before I can comment further...
    >
    > cheers,
    > --dr
    >
    > p.s. ......"just another fragrouter" ?.... I'm not sure how to take that....
    > fragrouter was enough of a rpita for me. :-)
    >
    > On Tue, 03 Apr 2001, Bill Marquette wrote:
    > > K2 did present ADMmutate...and yes, it is very cool (and a little frightening).
    > > The basic premise behind it (I'll let K2 explain more if he's watching this
    > > list) is that he uses virus like features to obfuscate the shellcode. ADMmutate
    > > can be used on any existing shell code (any current exploit) and will encrypt
    > > the shell code with a polymorphic decrypter. I would expect that the code will
    > > be available for public release soon, you might even try K2's website
    > > http://www.ktwo.ca. As the article mentions, it isn't "easy" to modify a
    > > current exploit to use this, the point and click script kiddie will have to wait
    > > until someone does it for them. The slightly above average skript kiddie won't
    > > have that hard of a time modifying exploit code to use ADMmutate though.
    > >
    > > --Bill
    > >
    > >
    > >
    > > From: Vitaly Osipov <vosipovWOLFEGROUP.COM> on 04/03/2001 09:15 AM
    > >
    > > Please respond to Vitaly Osipov <vosipovWOLFEGROUP.COM>
    > >
    > > To: FOCUS-IDSSECURITYFOCUS.COM
    > > cc:
    > > Client:
    > > Subject: CanSecWest and ADMutate
    > >
    > >
    > >
    > > I've seen some news stories like
    > > http://www.zdnet.co.uk/news/2001/13/ns-22021.html today - saying somebody
    > > called K2 from ADCrew presented on CanSecWest a program for IDS evasion (as
    > > far as I understand, though the descriptions are very vague). Has somebody
    > > been there and can shed a light on this? is really so c00l as news says or
    > > is it just another fragrouter? :)
    > >
    > > regards,
    > > W.
    > --
    > Dragos Ruiu <drdursec.com> dursec.com ltd. / kyx.net - we're from the future
    > gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc
    >

    *-------------.................................................
    | Andrew R. Reiter
    | arrfledge.watson.org
    | "It requires a very unusual mind
    | to undertake the analysis of the obvious" -- A.N. Whitehead