Firewall Wizards mailing list archives

Re: Efficiently detecting obfuscated shell code

From: "Don Parker" <dparker () rigelksecurity com>
Date: Wed, 4 Feb 2004 14:01:20 -0500 (EST)

Hi Joseph, undoubtedly, heuristics is the name of the game when it comes to detecting 
this stuff. Some of the stuff out there is pretty good indeed, but with so many variants 
possible is it truly effective >>99% of the time? I would say not myself. this is where 
the human interface has to be top-notch or at least educated in this area. The gear is 
an excellent starting point, but the human eye needs to be educated as well. 

Cheers!

Don

-------------------------------------------
Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc
www.rigelksecurity.com
ph :613.249.8340
fax:613.249.8319
--------------------------------------------

On Feb 4 , Joseph S D Yao <jsdy () center osis gov> wrote:

On Wed, Feb 04, 2004 at 11:39:16AM -0500, Don Parker wrote:

Hey guys/gals, I have been sending this question around some of the lists, and have

had

little real discussion on it. Question being; is it possible to reliably detect an 
obfuscated egg? Many of the ids signatures I have seen are a little loose, and always

go

for the nop sled with some port matching.

...

Hi, Don.

Question being: define "reliably".  ;-)

If you mean 100%, then IIRC certain famous mathematicians who were
actually true "computer scientists" proved that it was not possible to
always determine the output of a program, which is equivalent to
determining whether a sequence of bytes is in fact intended to be a
program with some kind of specific goal in mind.

If you mean "pretty reliably", e.g., >> 99%, then it's a matter of
throwing heuristics with very low false negatives at the problem faster
than the bad guys can beat them.  Because [see above] they will always
be able to.

-- 
Joe Yao                         jsdy () center osis gov - Joseph S. D. Yao
OSIS Center Systems Support                                     EMT-B
-----------------------------------------------------------------------
   This message is not an official statement of OSIS Center policies.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Efficiently detecting obfuscated shell code Don Parker (Feb 04)
- Re: Efficiently detecting obfuscated shell code Paul Robertson (Feb 04)
- Re: Efficiently detecting obfuscated shell code Joseph S D Yao (Feb 04)
- RE: Efficiently detecting obfuscated shell code Eugene Kuznetsov (Feb 04)
- <Possible follow-ups>
- Re: Efficiently detecting obfuscated shell code Don Parker (Feb 04)
- Re: Efficiently detecting obfuscated shell code Don Parker (Feb 04)