IDS mailing list archives

Re: Polymorphic Shellcode detection

From: Jeremy Bennett <jeremy_f_bennett () yahoo com>
Date: Tue, 6 May 2003 14:36:52 -0700 (PDT)

ADMutate exploited weaknesses in the purely signature-based IDS. By
avoiding the patterns that the IDS looks for and accomplishing the same
goal it was able to circumvent the stored patterns. 
IDS technology has moved past purely pattern matching approaches. Even
ISS has some level of protocol analysis built in and I do not believe
it is still confused by ADMutate. The success of the protocol anamoly
detection systems like ManHunt (now owned by Symantec) and BlackICE
(now owned by ISS) proved that you can not rely soly on pattern
matching.

There are really two important aspects to intrusion detection. The
first is to detect that something has happened that was not supposed
to. The second is to provide enough information to the operator so that
he or she can respond to the threat, either by patching, blocking, or
shutting down a service. 

ADMutate may still do a good job of hindering the second approach for
some poorly written signatures but I'm fairly certain it is no longer a
tool that can totally evade today's IDS. 

-J
--- ulfabodo <ulfabodo () rediffmail com> wrote:

Hi,
i wanted to find if the present ids'es are able to detect 
ploymorphic shellcodes a.k.a the ADMmutate and its variants. i had 
just gone through K2's article and at that time he claims that ISS 
was not able to detect the method which he has given.
What about the other IDS vendors? Have they been able to detect 
such exploits? Can anyone throw some light on how the detection 
mechanism might work??

thanks,
ub

-------------------------------------------------------------------------------

Can you respond to attacks based on attack type, severity, source IP,
destination IP, number of times attacked, or the time of day an
attack
occurs? No? 
No wonder why you're swamped with false positives! 
Download a free 15-day trial of Border Guard and watch your false
positives disappear.

http://www.securityfocus.com/StillSecure-focus-ids2

-------------------------------------------------------------------------------



-------------------------------------------------------------------------------
Can you respond to attacks based on attack type, severity, source IP,
destination IP, number of times attacked, or the time of day an attack
occurs? No? 
No wonder why you're swamped with false positives! 
Download a free 15-day trial of Border Guard and watch your false
positives disappear.

http://www.securityfocus.com/StillSecure-focus-ids2
-------------------------------------------------------------------------------

Current thread:

Polymorphic Shellcode detection ulfabodo (May 06)
- Re: Polymorphic Shellcode detection Randy Taylor (May 06)
- Re: Polymorphic Shellcode detection Krzysztof Zaraska (May 06)
  - RE: Polymorphic Shellcode detection Aleksander P. Czarnowski (May 06)
- Re: Polymorphic Shellcode detection Jeremy Bennett (May 06)
- Re: Polymorphic Shellcode detection zheng (May 08)
  - Re: Polymorphic Shellcode detection sam stover (May 12)
    - Re: Polymorphic Shellcode detection Robert Graham (May 12)
- <Possible follow-ups>
- Re: Polymorphic Shellcode detection David Barroso (May 06)