Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Siddhartha Jain (losttoy2000YAHOO.CO.UK)
Date: Mon Apr 09 2001 - 07:54:29 CDT
Can somebody independantly confirm this? Or has anybody tested the Admutate
tool against various IDSs and has a list of affected IDSs?
----- Original Message -----
From: "Rouland, Chris (ISSAtlanta)" <CRoulandISS.NET>
Sent: Thursday, April 05, 2001 5:12 AM
Subject: ADMmutate IDS Evasion Tool
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> ADMmutate Evasion Tool
> A new IDS evasion tool was announced at the CanSecWest Security
> Conference on March 30, 2001. The tool was written by 'K2' and is
> called ADMmutate. ADMmutate is using a polymorphic technique designed
> to circumvent certain forms of signature based intrusion detection.
> All network based remote buffer overflow exploits have similarities in
> how they function. ADMmutate has the ability to emulate the protocol
> of the service the attacker is attempting to exploit. The data payload
> (sometimes referred to as an egg) contains the instructions the
> attacker wants to execute on the target machine. These eggs are
> generally interchangeable and can be utilized in many different buffer
> overflow exploits. ADMmutate uses several techniques to randomize the
> contents of the egg in any given buffer overflow exploit. This
> randomization effectively changes the content or 'signature' of the
> exploit without changing the functionality of the exploit.
> Many IDS systems detect buffer overflow exploits by using a string
> matching signature of the actual exploit payload content. ADMmutate is
> effective in circumventing these IDS systems.
> ISS RealSecure uses different algorithms and methods of detection to
> determine when a buffer overflow attack happens. These algorithms are
> not affected by ADMmutate. ISS RealSecure has been confirmed as not
> vulnerable to the ADMmutate tool.
> ISS X-Force is researching adding additional algorithms to identify
> both specific ADMmutate attacks and generic polymorphic attacks to be
> provided in conjunction with the buffer overflow alert. Providing
> this additional information can help identify the sophistication level
> of an attacker.
> ISS RealSecure has been confirmed as not vulnerable to the ADMmutate
> evasive technique.
> When a new method to evade IDS appears, ISS X-Force researches and
> augments our detection algorithms to identify these new methods and
> techniques. X-Force regularly releases monthly X-Press Updates to
> cover these issues and any new attacks. In case of a major issue,
> X-Force has the option to release an emergency update. The IDS
> technology is continuing to evolve at a rapid pace to protect against
> any new evasive techniques and attacks. This ongoing vigilance adds
> value to our entire protection solution.
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5
> -----END PGP SIGNATURE-----
Do You Yahoo!?
Get your free yahoo.com address at http://mail.yahoo.com