Dailydave mailing list archives
RE: Check Point Invented (R)(TM) the great sand-boxingand now protects you against "Day0"!
From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Date: Thu, 7 Jul 2005 12:56:05 -0700
Gah! This is horrible!
-----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of H D Moore Sent: Wednesday, July 06, 2005 5:54 PM To: dailydave () lists immunitysec com Subject: Re: [Dailydave] Check Point Invented (R)(TM) the great sand-boxingand now protects you against "Day0"! Bahahaha, "wire-speed" executable code dissassembly and analysis, because *everyone* knows that executable code looks nothing like application data! Hey, wait, whats this ascii-encoded shellcode thing... Some funny excerpts for those too lazy to scan through the PDF. Too bad their "design assumptions" cut their entire amazing idea out at the knees :-)
thanks, I'm glad I didn't spend the time to read it, just from what's below.
2. Network traffic does not usually contain executable machine code. In the rare cases where a legitimate executable code is transferred over the network (e.g. download of an .exe file), it can be easily identified as such. Typically, EXE files are sent from servers to clients, while attacks are launched from clients to servers.
Really? Gotta go tell Nimda, Witty, SQL Slammer and other worm authors that they are doing it wrong
3. It is possible to write an algorithm to detect machine code in network traffic with high accuracy, low false positives rates and high performance. Based on the assumptions above, Check Point created an algorithm that meets the design goals of the Malicious Code Protector. Since Malicious Code Protector can detect machine code in network traffic, and we know that each attack must have machine code from our assumptions, the algorithm can detect actual attacks regardless of the specific buffer overflow vulnerabilities an attack is exploiting.
That's a great assumption. Wish it were true.... Seems to me that we've seen tools showing up constantly that are specifically built to make this false.
Looking for Executable Code The heart of the Malicious Code Protector is a disassembler engine that can examine network traffic and detect executable code (i.e., disassemble binary data into machine assembly language). This ability to detect executable code is related to the assumption that executable code is normally not allowed to traverse a network, with the exception of a few well known cases, such as an FTP transfer of an executable (*.exe) file.
How about downloading browser helper objects? Firefox extensions? Those are the easy ones based on looking at my running process list... I feel sorry for the first network engineer that pitches this to me. They're going to get their head bitten off. t _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- RE: Check Point Invented (R)(TM) the great sand-boxingand now protects you against "Day0"! Aleksander P. Czarnowski (Jul 07)
- <Possible follow-ups>
- RE: Check Point Invented (R)(TM) the great sand-boxingand now protects you against "Day0"! Kohlenberg, Toby (Jul 07)