Efficiently detecting obfuscated shell code

["Don Parker" <dparker () rigelksecurity com>]

Hey guys/gals, I have been sending this question around some of the lists, and have had 
little real discussion on it. Question being; is it possible to reliably detect an 
obfuscated egg? Many of the ids signatures I have seen are a little loose, and always go 
for the nop sled with some port matching. 

The problem though is that it is a relatively trivial matter to sub the nop with an 
ascii character. Or someone who has a little more skill can insert another 1 byte 
function that won't affect the egg itself. These ids evasion attempts are becoming more 
widely known. With the prevalence of such programs as ADMutate and phiral.c simplifying 
the task as it were this will probably become more prevalent. 

Its not every company which has layered defences which includes application level 
firewalls, and a properly tuned ids with good signatures. This is not even taking into 
account an analyst who will recognize what they are seeing. Snort's fnord does a good 
job of detecting shell code actually, and known obfuscated variants too. Any thoughts on 
this? 

Cheers!

Don

-------------------------------------------
Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc
www.rigelksecurity.com
ph :613.249.8340
fax:613.249.8319
--------------------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards