We could more easily introduce AI into an IDS if we'd get a little farther
away from the 'real time' alerting requirement. Advertising 'real-time' is
somewhat misleading anyway when a scripted rootkit can be installed in
seconds.

Perhaps working a little like Shadow does with logging everything (yes, this
gets to be a bigger problem the busier the site is) and then doing
post-processing on the log files. Some of the Snort add-ons seem like they
generate information along this line although I believe they are all more
oriented to having somebody run a database query periodically.

-----Original Message-----
From: Focus on Intrusion Detection Systems
[mailto:FOCUS-IDSSECURITYFOCUS.COM]On Behalf Of Andrew R. Reiter
Sent: Wednesday, April 04, 2001 1:37 AM
To: FOCUS-IDSSECURITYFOCUS.COM
Subject: Re: CanSecWest and ADMutate

I fully agree with Dragos on this point. Some IDS intrustion discovery
techniques rely on "shellcode signatures." This will cause a greater deal
of trouble because of the current means of recognizing these signatures..

for example, if a signature was meant to recognize an attack by seeing a
bunch of x86 nops (0x90), or perhaps a certain set of byte values, this
would bypass the rule. Imagine if an IDS system had to match up to N
number of different types of nops to say it's an attack... perhaps the
IDS was effective enough to say that if it saw two of the preknown (out of
N possibilities) nop values, that are introduced by the ADMMutate code,
that then causes a HUGE performance hit as there are 27^2 (man, im bad at
math this could be wrong) possibilities to check for... This is a problem.

Really to defeat this type of attack we need to decide on a greater
abstraction on these events. We need not to say "if data matches X we
alert," but rather say "if data seems like X, we alert"...

I think this brings another issue of something I've been discussing, with
a few random people, relating the idea of AI and host + network IDSs...
Levels of alertness (LoA's I guess we'll call them).

These LoA's which would be produced by a HIDS or a NIDS would be compiled
by a IDS engine to say "Ok, these X number of LoA's mean a certain S"
where X is the number of LoA's gathered over a certain period of time and
S meaning a current state of understanding as to what the LoA's compiled
mean.

This is a HUGE performance hit... but in my mind is the only solution to
such issues as polymorphic shellcode.

-- ABSTRACTING AN ATTACK TO THE GREATEST DEGREE --

.excuse the rambling...hit the bar & had some food etc etc :-)

Andrew

On Tue, 3 Apr 2001, Dragos Ruiu wrote:

> I don't believe he monitors this list so I'm including him on the chain...
>
> ADMutate isn't a script kiddy tool, for sure, as it requires an
undertanding
> of how an exploiit works despite the "helper" stuff that K2 has put in.
But it
> is a good attack technique and does remove the ability to have a pure and
> "infallible" shellcode signature - a signature that I likened to a
"defensive
> silver bullet" always means trouble, and never falses. I have to look at
his
> newer code before I can comment further...
>
> cheers,
> --dr
>
> p.s. ......"just another fragrouter" ?.... I'm not sure how to take
that....
> fragrouter was enough of a rpita for me. :-)
>
> On Tue, 03 Apr 2001, Bill Marquette wrote:
> > K2 did present ADMmutate...and yes, it is very cool (and a little
frightening).
> > The basic premise behind it (I'll let K2 explain more if he's watching
this
> > list) is that he uses virus like features to obfuscate the shellcode.
ADMmutate
> > can be used on any existing shell code (any current exploit) and will
encrypt
> > the shell code with a polymorphic decrypter. I would expect that the
code will
> > be available for public release soon, you might even try K2's website
> > http://www.ktwo.ca. As the article mentions, it isn't "easy" to modify
a
> > current exploit to use this, the point and click script kiddie will have
to wait
> > until someone does it for them. The slightly above average skript
kiddie won't
> > have that hard of a time modifying exploit code to use ADMmutate though.
> >
> > --Bill
> >
> >
> >
> > From: Vitaly Osipov <vosipovWOLFEGROUP.COM> on 04/03/2001 09:15 AM
> >
> > Please respond to Vitaly Osipov <vosipovWOLFEGROUP.COM>
> >
> > To: FOCUS-IDSSECURITYFOCUS.COM
> > cc:
> > Client:
> > Subject: CanSecWest and ADMutate
> >
> >
> >
> > I've seen some news stories like
> > http://www.zdnet.co.uk/news/2001/13/ns-22021.html today - saying
somebody
> > called K2 from ADCrew presented on CanSecWest a program for IDS evasion
(as
> > far as I understand, though the descriptions are very vague). Has
somebody
> > been there and can shed a light on this? is really so c00l as news says
or
> > is it just another fragrouter? :)
> >
> > regards,
> > W.
> --
> Dragos Ruiu <drdursec.com> dursec.com ltd. / kyx.net - we're from the
future
> gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc
>

*-------------.................................................
| Andrew R. Reiter
| arrfledge.watson.org
| "It requires a very unusual mind
| to undertake the analysis of the obvious" -- A.N. Whitehead

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]