RE: Check Point Invented (R)(TM) the great sand-boxingand now protects you against "Day0"!

["Aleksander P. Czarnowski" <alekc () avet com pl>]

> -----Original Message-----
> From: H D Moore [mailto:hdm-daily-dave () digitaloffense net] 
> Sent: 7 lipca 2005 02:54
> To: dailydave () lists immunitysec com
> Subject: Re: [Dailydave] Check Point Invented (R)(TM) the 
> great sand-boxingand now protects you against "Day0"!
>
> Bahahaha, "wire-speed" executable code dissassembly and 
> analysis, because 
> *everyone* knows that executable code looks nothing like application 
> data! Hey, wait, whats this ascii-encoded shellcode thing...

Now I can still sleep safely considering pen-testing services we
provide... ;-) and I though it would push us to start using polymorphic
shellcodes without embedded key for decryption look, instead the
decryption loop performs bruteforce attack on the key space to guess it
and decrypt final shellcode. Guess not this time.

> Malicious Code Protector monitors data streams and looks for a
sequence 
> of data that the disassembler engine can translate into machine
assembly 
> language. This indicates the possible existence of executable code 
> passing through a network. However, this alone is not sufficient when 
> trying to determine whether a certain data stream contains executable 
> code, let alone code of malicious nature. 

Actually snort does it too (in a very certain way):
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE
x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|";
depth:128; reference:arachnids,181; classtype:shellcode-detect; sid:6
48; rev:7;)

Now is it data or code?
Just my 2 cents
Aleksander Czarnowski
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave