RE: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. Applications IDSs

From: robert_david_graham (
Date: 01/27/02

From: robert_david_graham <>
To: "'NGSEC Research Team'" <>,
Date: Sun, 27 Jan 2002 17:54:47 -0500


This paper assumes that IDSs are looking for shellcode.

This is not true. Even in pattern-match IDSs, shellcode accounts for a small
percentage of signatures. In protocol-analysis IDSs, no signature looks for
shellcode (except for the obligatory generic NOP sled sig).

For example, looking at Snort 1.8.1 rpc.rules, I see only 3 rules that have
shellcode in them out of around 60 total rules (and 2 of those are
duplicates accounting for TCP vs. UDP). In contrast, among the 35 BlackICE
rules, 20 detect specific exploits.

E.g. the Snort rule for statdx (sid:1282) detects the shellcode in the
original script (statdx is the most popular exploit for the Linux rpc.statd
format-string vulnerability). In contrast, BlackICE does an
application-layer protocol-decode of rpc.statd, and looks inside a
particular field for long length and format-string characters (%), ignoring
the shellcode completely ("rpc.statd Format Attack", id=2001737).

You can't evade an IDS by morphing shellcode if the IDS isn't looking at

> -----Original Message-----
> From: NGSEC Research Team []
> Sent: Friday, January 25, 2002 3:51 PM
> To:
> Subject: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs.
> Applications IDSs
> Hash: SHA1
> Next Generation Security Technologies (NGSEC) is proud to
> announce the
> release of the Whitepaper:
> "Polymorphic shellcodes vs. Application IDSs"
> Download it from NGSEC's website:
> The technique detailed in this document has been implemented in
> NGSecureWeb(R) (NGSEC's Application IDS/Firewall for Web Servers).
> More information on this product can be obtained at NGSEC's
> web pages.
> NGSEC Research Team
> NGSEC labs public key at:
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see
> iD8DBQE8UcVFKrwoKcQl8Y4RAgv1AJwPTmoz+6mfZGOjKXnZevDntB4pVACeKot2
> dref3Vdo8a+V43tBJTNAAQQ=
> =YxcN