RE: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. Applications IDSs

From: robert_david_graham (robert_david_graham@yahoo.com)
Date: 01/27/02


From: robert_david_graham <robert_david_graham@yahoo.com>
To: "'NGSEC Research Team'" <labs@ngsec.com>, focus-ids@securityfocus.com
Date: Sun, 27 Jan 2002 17:54:47 -0500

Sigh.

This paper assumes that IDSs are looking for shellcode.

This is not true. Even in pattern-match IDSs, shellcode accounts for a small
percentage of signatures. In protocol-analysis IDSs, no signature looks for
shellcode (except for the obligatory generic NOP sled sig).

For example, looking at Snort 1.8.1 rpc.rules, I see only 3 rules that have
shellcode in them out of around 60 total rules (and 2 of those are
duplicates accounting for TCP vs. UDP). In contrast, among the 35 BlackICE
rules, 20 detect specific exploits.

E.g. the Snort rule for statdx (sid:1282) detects the shellcode in the
original script (statdx is the most popular exploit for the Linux rpc.statd
format-string vulnerability). In contrast, BlackICE does an
application-layer protocol-decode of rpc.statd, and looks inside a
particular field for long length and format-string characters (%), ignoring
the shellcode completely ("rpc.statd Format Attack", id=2001737).

You can't evade an IDS by morphing shellcode if the IDS isn't looking at
shellcode.

> -----Original Message-----
> From: NGSEC Research Team [mailto:labs@ngsec.com]
> Sent: Friday, January 25, 2002 3:51 PM
> To: focus-ids@securityfocus.com
> Subject: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs.
> Applications IDSs
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Next Generation Security Technologies (NGSEC) is proud to
> announce the
> release of the Whitepaper:
>
> "Polymorphic shellcodes vs. Application IDSs"
>
> Download it from NGSEC's website: http://www.ngsec.com
>
> The technique detailed in this document has been implemented in
> NGSecureWeb(R) (NGSEC's Application IDS/Firewall for Web Servers).
> More information on this product can be obtained at NGSEC's
> web pages.
>
> NGSEC Research Team
> labs@ngsec.com
> http://www.ngsec.com
>
> NGSEC labs public key at: http://www.ngsec.com/labs.asc
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE8UcVFKrwoKcQl8Y4RAgv1AJwPTmoz+6mfZGOjKXnZevDntB4pVACeKot2
> dref3Vdo8a+V43tBJTNAAQQ=
> =YxcN
> -----END PGP SIGNATURE-----
>