Re: Obfuscated shellcode

[Aaron Turner <aturner () pobox com>]

Sounds like a reason not to use these "major vendors".  I know not all
vendors write signatures that are so easy to avoid and a number of them
have made it possible to roll out new signatures to tens or even 
hundreds of signatures with a single click.

Basically, what I'm saying is that not all vendors have these issues, and
if they're important to you, then it would be worth your time to research
which vendors do it better.

As for obfuscated NOOP's and shell code, look at ADMmutate which makes 
shell code polymorphic and static signatures which rely on the shell code
and NOOP's pretty ineffective.  http://www.ktwo.ca/security.html

Regards,
Aaron

On Sun, Feb 01, 2004 at 04:57:50PM -0500, Don Parker wrote:
> Hi Aaron, well agreed any IDS worth it's salt will detect a NOOP sled. I have however 
> seen the signatures firsthand of some major vendors and they all go for very generic 
> stuff such as the NOOP  times n amount, and perhaps port matching. That is it, 
> literally. Also drawing on my work with some large entities I know firsthand that the 
> rollout of some patches can be very slow, thereby leaving open a large window of 
> opportunity for a munged egg to get through. Hence my question on using an obfuscated 
> egg to slip past the IDS.

Attachment: _bin
Description: