Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Obfuscated web pages

from [Dustin D. Trammell] Network Security [Permanent Link]
Subject: Re: Obfuscated web pages
Date: Wed, 20 Feb 2008 16:28:03 -0600 
On Fri, 2008-02-15 at 21:43 +0000, partner50113371@vansoftcorp.com
wrote:

Oddly enough, I just published a paper on >shellcode encoding for evading
network security/monitoring systems that cites >two different projects
that attempt to do this type of thing for >shellcode in real-time in a
sandbox environment, however they both were not >ID/PS systems:

http://www.uninformed.org/?v=9&a=3&t=sumry


I checked your biblio and much of the existing work done in the area of 
IDS/IPS evasion using payload customization and attack blending is not 
mentioned there.


The two citations I was referring to in my paper were 4 and 5, and as I
mentioned, were NOT ID/PS systems.  Also, my paper is (in a nutshell)
about applying the approach of keyed cryptography (i.e, keeping the key
secret) to payload encoding in an effort to avoid automated analysis or
forensics, not necessarily about ID/PS evasion (no ID/PSs I am aware of
currently try to do this, hence the discussion in this thread).  These
differences in subject-matter are why there were no references to
previous research regarding payload polymorphism and attack blending.
My original point was that even though ID/PSs aren't currently doing
this, it doesn't mean that other types of systems aren't.


Have you seen the paper from Georgia Tech Information Security Group by 
Kolesnikov and Lee on polymorphic blending published in 2004?

1.Kolesnikov, Lee
Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic,
http://smartech.gatech.edu/handle/1853/6485

The paper described creating custom attacks/payloads based on knowledge about 
the target network so as to evade IDS.


I had, and it's very interesting research.  The difference in that
research effort versus contextual keying is that rather than attempting
to, for example, disguise yourself as a tree when romping about a
forest, a contextual-keyed encoded payload doesn't care if you can pick
it out of the environment because without the context-key it won't
decode and reveal what it's doing, like hiding inside a cabin in that
same forest; the cabin is easy to see, however without the key to unlock
the door an observer won't know what's going on inside.

-- 
Dustin D. Trammell
Security Researcher
BreakingPoint Systems, Inc.

Attachment: signature.asc
Description: This is a digitally signed message part

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Obfuscated web pages, Ivan Arce
Next by Date:  Re: Obfuscated web pages, Ivan Arce
Previous by Thread:  Re: Obfuscated web pages, partner50113371
Next by Thread:  Re: Obfuscated web pages, dxp
Indexes:  [Date] [Thread] [Top] [All Lists]