IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Evasion with OLE2 Fragmentation

From: "H D Moore" <sflist () digitaloffense net>
Date: Fri, 15 May 2009 08:36:51 -0500
This applies more to AVs than IPS, but is yet another thing for IDS sig developers to be aware of: - http://www.breakingpointsystems.com/community/blog/evasion-with-ole2-fragmentation
"At BreakingPoint, we provide comprehensive coverage of Microsoft Tuesday patches. This Tuesday was no different and we released StrikePacks 45799 and 45800 to cover MS09-017 (the PowerPoint vulnerabilities). In addition to writing exploits for these flaws, we also research application-specific evasion methods. In the case of file format flaws, we support evasion at every level, including techniques like IP fragmentation, alternate MIME encodings, HTTP compression, and data randomization within the files themselves. While working on Strike coverage for MS09-017, we discovered a simple way to bypass mainstream anti-virus and IPS signatures for malicious Office documents. This post talks about the method we used and some of our test results against popular anti-virus products." 

-HD
Previous By Date Next
Previous By Thread Next

Current thread: