Re: CSLID evasion - Client protection

["Stuart Staniford" <sstaniford () FireEye com>]

On Mar 25, 2009, at 11:07 AM, Addepalli Srini-B22160 wrote:

> Hi Ravi,
>
> Regular expression based matching (however good they are) on raw data
> does not work in these cases. There are too many variations that are
> possible. You gave one example. But many more are possible as  
> javascript
> is a programming language and there are many ways to create a string.
>
> Some support is required in the network devices to decode HTML pages  
> and
> java scripts to normalize the data before analyzing rules. I am not
> aware of any IDP device in the market today that does java script and
> HTML page analysis.

We (FireEye) do :-)

Our device is not a general purpose IDS, but, in it's main mode of  
use, is oriented to detecting both callbacks of bots, and web-based  
installation of bots by drive-by downloads (by monitoring egress  
network links).  For a typical enterprise, most desktop compromises  
are now occurring as a result of the web so this is a fairly useful  
set of functionality.

The latter (infection-detection) functionality is pretty new.  We do a  
two stage analysis - in the first stage, we do a fast parse of the  
HTML and Javascript and use a variety of statistical anomaly  
techniques to decide that it's suspicious (eg it's clearly  
obfuscated).  The suspicious stuff is then replayed to an actual  
browser/OS/set of plugins in an instrumented virtual machine.  That  
makes the final decision (which eliminates the false positive problems  
that otherwise plague statistical anomaly detection techniques).  We  
have 6-12 VMs running at all times in the appliance on whatever looks  
most suspicious right then.

Stuart Staniford
Chief Scientist, FireEye.