Firewall Wizards mailing list archives
Re: Efficiently detecting obfuscated shell code
From: Joseph S D Yao <jsdy () center osis gov>
Date: Wed, 4 Feb 2004 13:57:00 -0500
On Wed, Feb 04, 2004 at 11:39:16AM -0500, Don Parker wrote:
Hey guys/gals, I have been sending this question around some of the lists, and have had little real discussion on it. Question being; is it possible to reliably detect an obfuscated egg? Many of the ids signatures I have seen are a little loose, and always go for the nop sled with some port matching.
... Hi, Don. Question being: define "reliably". ;-) If you mean 100%, then IIRC certain famous mathematicians who were actually true "computer scientists" proved that it was not possible to always determine the output of a program, which is equivalent to determining whether a sequence of bytes is in fact intended to be a program with some kind of specific goal in mind. If you mean "pretty reliably", e.g., >> 99%, then it's a matter of throwing heuristics with very low false negatives at the problem faster than the bad guys can beat them. Because [see above] they will always be able to. -- Joe Yao jsdy () center osis gov - Joseph S. D. Yao OSIS Center Systems Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Efficiently detecting obfuscated shell code Don Parker (Feb 04)
- Re: Efficiently detecting obfuscated shell code Paul Robertson (Feb 04)
- Re: Efficiently detecting obfuscated shell code Joseph S D Yao (Feb 04)
- RE: Efficiently detecting obfuscated shell code Eugene Kuznetsov (Feb 04)
- <Possible follow-ups>
- Re: Efficiently detecting obfuscated shell code Don Parker (Feb 04)
- Re: Efficiently detecting obfuscated shell code Don Parker (Feb 04)