Hmm... which part of RealSecure is not vulnerable? Host sensor? network
sensor? I agree that host sensor might use lots of techniques besides
pattern-matching, but as far as I noticed from trying RealSecure Network
Sensor - it is the same old regexp thing :)

regards,
W.

----- Original Message -----
From: "Rouland, Chris (ISSAtlanta)" <CRoulandISS.NET>
To: <FOCUS-IDSSECURITYFOCUS.COM>
Sent: Thursday, April 05, 2001 12:42 AM
Subject: [FOCUS-IDS] ADMmutate IDS Evasion Tool

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> ADMmutate Evasion Tool
>
> A new IDS evasion tool was announced at the CanSecWest Security
> Conference on March 30, 2001. The tool was written by 'K2' and is
> called ADMmutate. ADMmutate is using a polymorphic technique designed
> to circumvent certain forms of signature based intrusion detection.
>
> All network based remote buffer overflow exploits have similarities in
> how they function. ADMmutate has the ability to emulate the protocol
> of the service the attacker is attempting to exploit. The data payload
> (sometimes referred to as an egg) contains the instructions the
> attacker wants to execute on the target machine. These eggs are
> generally interchangeable and can be utilized in many different buffer
> overflow exploits. ADMmutate uses several techniques to randomize the
> contents of the egg in any given buffer overflow exploit. This
> randomization effectively changes the content or 'signature' of the
> exploit without changing the functionality of the exploit.
>
> Many IDS systems detect buffer overflow exploits by using a string
> matching signature of the actual exploit payload content. ADMmutate is
> effective in circumventing these IDS systems.
>
> ISS RealSecure uses different algorithms and methods of detection to
> determine when a buffer overflow attack happens. These algorithms are
> not affected by ADMmutate. ISS RealSecure has been confirmed as not
> vulnerable to the ADMmutate tool.
>
> ISS X-Force is researching adding additional algorithms to identify
> both specific ADMmutate attacks and generic polymorphic attacks to be
> provided in conjunction with the buffer overflow alert. Providing
> this additional information can help identify the sophistication level
> of an attacker.
>
> Conclusion:
>
> ISS RealSecure has been confirmed as not vulnerable to the ADMmutate
> evasive technique.
>
> When a new method to evade IDS appears, ISS X-Force researches and
> augments our detection algorithms to identify these new methods and
> techniques. X-Force regularly releases monthly X-Press Updates to
> cover these issues and any new attacks. In case of a major issue,
> X-Force has the option to release an emergency update. The IDS
> technology is continuing to evolve at a rapid pace to protect against
> any new evasive techniques and attacks. This ongoing vigilance adds
> value to our entire protection solution.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5
>
> iQA/AwUBOsuxL9/TKefTUYbMEQJVwQCeMcNy+0d2Da7opHOlOScf5qVEKYYAoMq5
> hjGt0xOEDhunuHY41qCx/t9E
> =jYLq
> -----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]