Firewall Wizards mailing list archives
Efficiently detecting obfuscated shell code
From: "Don Parker" <dparker () rigelksecurity com>
Date: Wed, 4 Feb 2004 11:39:16 -0500 (EST)
Hey guys/gals, I have been sending this question around some of the lists, and have had little real discussion on it. Question being; is it possible to reliably detect an obfuscated egg? Many of the ids signatures I have seen are a little loose, and always go for the nop sled with some port matching. The problem though is that it is a relatively trivial matter to sub the nop with an ascii character. Or someone who has a little more skill can insert another 1 byte function that won't affect the egg itself. These ids evasion attempts are becoming more widely known. With the prevalence of such programs as ADMutate and phiral.c simplifying the task as it were this will probably become more prevalent. Its not every company which has layered defences which includes application level firewalls, and a properly tuned ids with good signatures. This is not even taking into account an analyst who will recognize what they are seeing. Snort's fnord does a good job of detecting shell code actually, and known obfuscated variants too. Any thoughts on this? Cheers! Don ------------------------------------------- Don Parker, GCIA Intrusion Detection Specialist Rigel Kent Security & Advisory Services Inc www.rigelksecurity.com ph :613.249.8340 fax:613.249.8319 -------------------------------------------- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Efficiently detecting obfuscated shell code Don Parker (Feb 04)
- Re: Efficiently detecting obfuscated shell code Paul Robertson (Feb 04)
- Re: Efficiently detecting obfuscated shell code Joseph S D Yao (Feb 04)
- RE: Efficiently detecting obfuscated shell code Eugene Kuznetsov (Feb 04)
- <Possible follow-ups>
- Re: Efficiently detecting obfuscated shell code Don Parker (Feb 04)
- Re: Efficiently detecting obfuscated shell code Don Parker (Feb 04)