IDS mailing list archives
Re: Obfuscated web pages
From: "Dustin D. Trammell" <dtrammell () bpointsys com>
Date: Wed, 20 Feb 2008 16:28:03 -0600
On Fri, 2008-02-15 at 21:43 +0000, partner50113371 () vansoftcorp com wrote:
Oddly enough, I just published a paper on >shellcode encoding for evading network security/monitoring systems that cites >two different projects that attempt to do this type of thing for >shellcode in real-time in a sandbox environment, however they both were not >ID/PS systems: http://www.uninformed.org/?v=9&a=3&t=sumryI checked your biblio and much of the existing work done in the area of IDS/IPS evasion using payload customization and attack blending is not mentioned there.
The two citations I was referring to in my paper were 4 and 5, and as I mentioned, were NOT ID/PS systems. Also, my paper is (in a nutshell) about applying the approach of keyed cryptography (i.e, keeping the key secret) to payload encoding in an effort to avoid automated analysis or forensics, not necessarily about ID/PS evasion (no ID/PSs I am aware of currently try to do this, hence the discussion in this thread). These differences in subject-matter are why there were no references to previous research regarding payload polymorphism and attack blending. My original point was that even though ID/PSs aren't currently doing this, it doesn't mean that other types of systems aren't.
Have you seen the paper from Georgia Tech Information Security Group by Kolesnikov and Lee on polymorphic blending published in 2004? 1.Kolesnikov, Lee Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic, http://smartech.gatech.edu/handle/1853/6485 The paper described creating custom attacks/payloads based on knowledge about the target network so as to evade IDS.
I had, and it's very interesting research. The difference in that research effort versus contextual keying is that rather than attempting to, for example, disguise yourself as a tree when romping about a forest, a contextual-keyed encoded payload doesn't care if you can pick it out of the environment because without the context-key it won't decode and reveal what it's doing, like hiding inside a cabin in that same forest; the cabin is easy to see, however without the key to unlock the door an observer won't know what's going on inside. -- Dustin D. Trammell Security Researcher BreakingPoint Systems, Inc.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: Obfuscated web pages, (continued)
- Re: Obfuscated web pages Ivan Arce (Feb 29)
- Re: Obfuscated web pages Jamie Riden (Feb 14)
- RE: Obfuscated web pages Mike Barkett (Feb 14)
- Re: Obfuscated web pages Arian J. Evans (Feb 15)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Ivan Arce (Feb 21)
- Re: Obfuscated web pages Arian J. Evans (Feb 15)
- Re: Obfuscated web pages parveenvashishtha (Feb 15)
- Re: Re: Obfuscated web pages parveenvashishtha (Feb 19)
- Re: Obfuscated web pages holly . stewart (Feb 19)
- Re: Obfuscated web pages partner50113371 (Feb 19)
- Re: Obfuscated web pages Dustin D. Trammell (Feb 21)
- Re: Obfuscated web pages dxp (Feb 29)