Re: Polymorphic Shellcode detection

[zheng () intruvert com]

Hi all,

Sorry that I did not get to jump in earlier, but I hope you find the
info useful when you consider shellcode detection capabilities. I work
for IntruVert, but my discussion will be from a general technology
perspective and without anything specific IntruVert's algorithm which
is patent pending.

Many efforts have been proposed to tackle this problem. I will briefly
discuss the pros and cons for each of them.

The most basic way is to search for syscall instructions like "cd80"
or nop instructions like "9090" in buffer. You can find those in the
snort signature set. This approach can be easily fooled by
ADMutate. The F.P(false positive) and the F.N(false negative) for this
one are both high.

ISS's way, which checks for the number of binary bytes in a certain
buffer, is kind of anomaly based. This method was useful 3 years ago,
but is kind of obsolete nowadays. The reason is that there are bunch
of ASCII/printable shellcode generators floating around. They can
eliminate the binary in your shellcode by generating an equivalent
shellcode that does not have binary byte at all. And, many http buffer
overflows can use encoding to bypass the binary check (though can be
solved by IDS decoding). Finally, as a very basic anomaly checking
method, it fails to protect those fields that allow binary byte in the
first place.  Given that limitation, the F.N is lower for this
approach, but the F.P is generally higher than snort in real world
traffic.

Fnord, as some posts have mentioned, tried to extend the limited snort
pattern checking to a larger set. It checks for many more NOP/SYS
variant,
not only the 9090s', e.g. the "jmp 02" like instructions. It can catch
ADMutated shell code in general, but, still can be bypassed by special
crafted shell codes. And, I believe minor modification to ADMutate can
produce shellcode that will evade Fnort. More variants checking also
poses a performance issue.

There is paper from academic world [Thomas02,Christopher02], trying to
address this issue with a time-consuming but more intelligent way. It
tries to see if there is instruction block in one buffer. However, the
complexity of the algorithm may prevent it from being suitable for
high-speed comercial implementation. But, it can produce good result
on F.N. numbers.

Another approach to robust shellocde detection is based on more
sophisticated application anomaly, which can provide higher accuracy
(low false positive) and low false negative. Intuvert Network's method
is one of the good examples. IntruVert's shellcode detection module is
integrated with its IntruShield systems from day one. Its ability to
detect polymorphic shellcode has been successfully tested in all major
independent test labs, including Miercom labs, Neohapsis, and NSS
Group in UK. This capability is implemented in both I2600 (600Mbps)
and I4000 (2Gbps).


 

Bu,Zheng zheng () intruvert com

----------------------------------------

%5556%2221PYTX%5556%2221P\QX-5557-5557-5559PQX-3a64-3a64-3a66PQX-766f-76
6f-7870PQX-445e-445e-455ePQX-4532-4532-4633PQX-3232-3232-3333PQX-3032-30
32-3132PQX-393a-393a-3a3aPQX-393a-393a-3b3aPQX-5541-5541-5641PQX-5555-55
55-5555P


> -----Original Message-----
> From: ulfabodo [mailto:ulfabodo () rediffmail com]
> Sent: Tuesday, May 06, 2003 4:24 AM
> To: focus-ids () securityfocus com
> Subject: Polymorphic Shellcode detection
>
> Hi,
> i wanted to find if the present ids'es are able to detect
> ploymorphic shellcodes a.k.a the ADMmutate and its variants. i had
> just gone through K2's article and at that time he claims that ISS
> was not able to detect the method which he has given.
> What about the other IDS vendors? Have they been able to detect
> such exploits? Can anyone throw some light on how the detection
> mechanism might work??
>
> thanks,
> ub
------------------------------------------------------------------------
--
> -----
> Can you respond to attacks based on attack type, severity, source IP,
> destination IP, number of times attacked, or the time of day an attack
> occurs? No?
> No wonder why you're swamped with false positives!
> Download a free 15-day trial of Border Guard and watch your false
> positives disappear.
>
> http://www.securityfocus.com/StillSecure-focus-ids2
------------------------------------------------------------------------
--
> -----

-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, 
relevancy, direction, impact and analysis - enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------