IDS mailing list archives
Re: Polymorphic Shellcode detection
From: zheng () intruvert com
Date: Thu, 8 May 2003 10:52:35 -0700
Hi all, Sorry that I did not get to jump in earlier, but I hope you find the info useful when you consider shellcode detection capabilities. I work for IntruVert, but my discussion will be from a general technology perspective and without anything specific IntruVert's algorithm which is patent pending. Many efforts have been proposed to tackle this problem. I will briefly discuss the pros and cons for each of them. The most basic way is to search for syscall instructions like "cd80" or nop instructions like "9090" in buffer. You can find those in the snort signature set. This approach can be easily fooled by ADMutate. The F.P(false positive) and the F.N(false negative) for this one are both high. ISS's way, which checks for the number of binary bytes in a certain buffer, is kind of anomaly based. This method was useful 3 years ago, but is kind of obsolete nowadays. The reason is that there are bunch of ASCII/printable shellcode generators floating around. They can eliminate the binary in your shellcode by generating an equivalent shellcode that does not have binary byte at all. And, many http buffer overflows can use encoding to bypass the binary check (though can be solved by IDS decoding). Finally, as a very basic anomaly checking method, it fails to protect those fields that allow binary byte in the first place. Given that limitation, the F.N is lower for this approach, but the F.P is generally higher than snort in real world traffic. Fnord, as some posts have mentioned, tried to extend the limited snort pattern checking to a larger set. It checks for many more NOP/SYS variant, not only the 9090s', e.g. the "jmp 02" like instructions. It can catch ADMutated shell code in general, but, still can be bypassed by special crafted shell codes. And, I believe minor modification to ADMutate can produce shellcode that will evade Fnort. More variants checking also poses a performance issue. There is paper from academic world [Thomas02,Christopher02], trying to address this issue with a time-consuming but more intelligent way. It tries to see if there is instruction block in one buffer. However, the complexity of the algorithm may prevent it from being suitable for high-speed comercial implementation. But, it can produce good result on F.N. numbers. Another approach to robust shellocde detection is based on more sophisticated application anomaly, which can provide higher accuracy (low false positive) and low false negative. Intuvert Network's method is one of the good examples. IntruVert's shellcode detection module is integrated with its IntruShield systems from day one. Its ability to detect polymorphic shellcode has been successfully tested in all major independent test labs, including Miercom labs, Neohapsis, and NSS Group in UK. This capability is implemented in both I2600 (600Mbps) and I4000 (2Gbps). Bu,Zheng zheng () intruvert com ---------------------------------------- %5556%2221PYTX%5556%2221P\QX-5557-5557-5559PQX-3a64-3a64-3a66PQX-766f-76 6f-7870PQX-445e-445e-455ePQX-4532-4532-4633PQX-3232-3232-3333PQX-3032-30 32-3132PQX-393a-393a-3a3aPQX-393a-393a-3b3aPQX-5541-5541-5641PQX-5555-55 55-5555P
-----Original Message----- From: ulfabodo [mailto:ulfabodo () rediffmail com] Sent: Tuesday, May 06, 2003 4:24 AM To: focus-ids () securityfocus com Subject: Polymorphic Shellcode detection Hi, i wanted to find if the present ids'es are able to detect ploymorphic shellcodes a.k.a the ADMmutate and its variants. i had just gone through K2's article and at that time he claims that ISS was not able to detect the method which he has given. What about the other IDS vendors? Have they been able to detect such exploits? Can anyone throw some light on how the detection mechanism might work?? thanks, ub
------------------------------------------------------------------------ --
----- Can you respond to attacks based on attack type, severity, source IP, destination IP, number of times attacked, or the time of day an attack occurs? No? No wonder why you're swamped with false positives! Download a free 15-day trial of Border Guard and watch your false positives disappear. http://www.securityfocus.com/StillSecure-focus-ids2
------------------------------------------------------------------------ --
-----
------------------------------------------------------------------------------- INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2 -------------------------------------------------------------------------------
Current thread:
- Polymorphic Shellcode detection ulfabodo (May 06)
- Re: Polymorphic Shellcode detection Randy Taylor (May 06)
- Re: Polymorphic Shellcode detection Krzysztof Zaraska (May 06)
- RE: Polymorphic Shellcode detection Aleksander P. Czarnowski (May 06)
- Re: Polymorphic Shellcode detection Jeremy Bennett (May 06)
- Re: Polymorphic Shellcode detection zheng (May 08)
- Re: Polymorphic Shellcode detection sam stover (May 12)
- Re: Polymorphic Shellcode detection Robert Graham (May 12)
- Re: Polymorphic Shellcode detection sam stover (May 12)
- <Possible follow-ups>
- Re: Polymorphic Shellcode detection David Barroso (May 06)