Re: Obfuscated web pages



On Fri, 2008-02-15 at 21:43 +0000, partner50113371@xxxxxxxxxxxxxxx
wrote:
Oddly enough, I just published a paper on >shellcode encoding for evading
network security/monitoring systems that cites >two different projects
that attempt to do this type of thing for >shellcode in real-time in a
sandbox environment, however they both were not >ID/PS systems:

http://www.uninformed.org/?v=9&a=3&t=sumry

I checked your biblio and much of the existing work done in the area of IDS/IPS evasion using payload customization and attack blending is not mentioned there.

The two citations I was referring to in my paper were 4 and 5, and as I
mentioned, were NOT ID/PS systems. Also, my paper is (in a nutshell)
about applying the approach of keyed cryptography (i.e, keeping the key
secret) to payload encoding in an effort to avoid automated analysis or
forensics, not necessarily about ID/PS evasion (no ID/PSs I am aware of
currently try to do this, hence the discussion in this thread). These
differences in subject-matter are why there were no references to
previous research regarding payload polymorphism and attack blending.
My original point was that even though ID/PSs aren't currently doing
this, it doesn't mean that other types of systems aren't.

Have you seen the paper from Georgia Tech Information Security Group by Kolesnikov and Lee on polymorphic blending published in 2004?

1.Kolesnikov, Lee
Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic,
http://smartech.gatech.edu/handle/1853/6485

The paper described creating custom attacks/payloads based on knowledge about the target network so as to evade IDS.

I had, and it's very interesting research. The difference in that
research effort versus contextual keying is that rather than attempting
to, for example, disguise yourself as a tree when romping about a
forest, a contextual-keyed encoded payload doesn't care if you can pick
it out of the environment because without the context-key it won't
decode and reveal what it's doing, like hiding inside a cabin in that
same forest; the cabin is easy to see, however without the key to unlock
the door an observer won't know what's going on inside.

--
Dustin D. Trammell
Security Researcher
BreakingPoint Systems, Inc.

Attachment: signature.asc
Description: This is a digitally signed message part