Re: Obfuscated web pages

[partner50113371 () vansoftcorp com]

> Oddly enough, I just published a paper on >shellcode encoding for evading
> network security/monitoring systems that cites >two different projects
> that attempt to do this type of thing for >shellcode in real-time in a
> sandbox environment, however they both were not >ID/PS systems:
>
> http://www.uninformed.org/?v=9&a=3&t=sumry

I checked your biblio and much of the existing work done in the area of IDS/IPS evasion using payload customization and 
attack blending is not mentioned there.

Have you seen the paper from Georgia Tech Information Security Group by Kolesnikov and Lee on polymorphic blending 
published in 2004?

1.Kolesnikov, Lee
Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic,
http://smartech.gatech.edu/handle/1853/6485

The paper described creating custom attacks/payloads based on knowledge about the target network so as to evade IDS.

Also, see the following follow-up work from UC Berkeley and CMU:
1. Song, Newsome, et al.
Polygraph: Automatically Generating Signatures
for Polymorphic Worms
http://www.cs.berkeley.edu/~dawnsong/papers/polygraph.pdf

The work suggests ways to address the threat and discussed possible solutions.

2. Fogla, Sharif, et al.
Polymorphic Blending Attacks
http://www.usenix.org/events/sec06/tech/fogla.html

The work formalizes the concept of polymorphic blending attacks.

Roy

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------