RE: Check Point Invented (R)(TM) the great sand-boxingand now protects you against "Day0"!

["Kohlenberg, Toby" <toby.kohlenberg () intel com>]

Gah! This is horrible! 

> -----Original Message-----
> From: dailydave-bounces () lists immunitysec com 
> [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of H D Moore
> Sent: Wednesday, July 06, 2005 5:54 PM
> To: dailydave () lists immunitysec com
> Subject: Re: [Dailydave] Check Point Invented (R)(TM) the 
> great sand-boxingand now protects you against "Day0"!
>
> Bahahaha, "wire-speed" executable code dissassembly and 
> analysis, because 
> *everyone* knows that executable code looks nothing like application 
> data! Hey, wait, whats this ascii-encoded shellcode thing...
>
> Some funny excerpts for those too lazy to scan through the 
> PDF. Too bad 
> their "design assumptions" cut their entire amazing idea out at the 
> knees :-)

thanks, I'm glad I didn't spend the time to read it, just from what's
below.

> 2. Network traffic does not usually contain executable machine 
> code. In 
> the rare cases where a legitimate executable code is 
> transferred over the 
> network (e.g. download of an .exe file), it can be easily 
> identified as 
> such. Typically, EXE files are sent from servers to clients, while 
> attacks are launched from clients to servers. 

Really? Gotta go tell Nimda, Witty, SQL Slammer and other worm 
authors that they are doing it wrong

> 3. It is possible to write an algorithm to detect machine code 
> in network 
> traffic with high accuracy, low false positives rates and high 
> performance. Based on the assumptions above, Check Point created an 
> algorithm that meets the design goals of the Malicious Code Protector. 
> Since Malicious Code Protector can detect machine code in network 
> traffic, and we know that each attack must have machine code from our 
> assumptions, the algorithm can detect actual attacks regardless of the 
> specific buffer overflow vulnerabilities an attack is exploiting.

That's a great assumption. Wish it were true.... Seems to me that we've
seen tools showing up constantly that are specifically built to make
this
false.

> Looking for Executable Code
>
> The heart of the Malicious Code Protector is a disassembler 
> engine that 
> can examine network traffic and detect executable code (i.e., 
> disassemble 
> binary data into machine assembly language). This ability to detect 
> executable code is related to the assumption that executable code is 
> normally not allowed to traverse a network, with the exception 
> of a few 
> well known cases, such as an FTP transfer of an executable 
> (*.exe) file.

How about downloading browser helper objects? Firefox extensions? 
Those are the easy ones based on looking at my running process list...

I feel sorry for the first network engineer that pitches this to me.
They're going to get their head bitten off.

t
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave