On Wed, 04 Apr 2001, Rouland, Chris (ISSAtlanta) wrote:
> ISS RealSecure has been confirmed as not vulnerable to the ADMmutate
> evasive technique.

So what does this actually mean?

As I see it you are either saying....

 a) we have no shellcode signatures

or

 b) we have fed all the existing exploits through ADMutate repeatedly
     and have identified other protocol traits to use for each signature
     independent of the shellcode for hundreds of exploits.

I'm skeptical if you've had time to do the latter given the tool was announced
last Thursday, so I'll assume you mean the former. :-)

Marketing proclamations in technical forums can be dangerous I think.
I'm not picking on ISS even though they "opted out" of my IDS comparison
here BTW, but the above proclamation seemed particularly vaporous and premature,
especially since the applications of K2's work are only now being explored.

As many know I'm usually on the pro-IDS side, but some careful thought
and analysis needs to go into bold statements like the above. It does the
entire industry a dis-service to try to spin control new developments like this
if they turn out to be new difficult problems, which I think the jury is still
out on as far as ADMutate goes.... (I'm sure as **** not fully sure how much of
a threat/IDS-problem this is yet, personally....)

cheers,
--dr

--
Dragos Ruiu <drdursec.com>   dursec.com ltd. / kyx.net - we're from the future
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]