Rouland, Chris (ISSAtlanta)
Sun, 08 Apr 2001 10:06:32 -0700
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ADMmutate Evasion Tool A new IDS evasion tool was announced at the CanSecWest Security Conference on March 30, 2001. The tool was written by 'K2' and is called ADMmutate. ADMmutate is using a polymorphic technique designed to circumvent certain forms of signature based intrusion detection. All network based remote buffer overflow exploits have similarities in how they function. ADMmutate has the ability to emulate the protocol of the service the attacker is attempting to exploit. The data payload (sometimes referred to as an egg) contains the instructions the attacker wants to execute on the target machine. These eggs are generally interchangeable and can be utilized in many different buffer overflow exploits. ADMmutate uses several techniques to randomize the contents of the egg in any given buffer overflow exploit. This randomization effectively changes the content or 'signature' of the exploit without changing the functionality of the exploit. Many IDS systems detect buffer overflow exploits by using a string matching signature of the actual exploit payload content. ADMmutate is effective in circumventing these IDS systems. ISS RealSecure uses different algorithms and methods of detection to determine when a buffer overflow attack happens. These algorithms are not affected by ADMmutate. ISS RealSecure has been confirmed as not vulnerable to the ADMmutate tool. ISS X-Force is researching adding additional algorithms to identify both specific ADMmutate attacks and generic polymorphic attacks to be provided in conjunction with the buffer overflow alert. Providing this additional information can help identify the sophistication level of an attacker. Conclusion: ISS RealSecure has been confirmed as not vulnerable to the ADMmutate evasive technique. When a new method to evade IDS appears, ISS X-Force researches and augments our detection algorithms to identify these new methods and techniques. X-Force regularly releases monthly X-Press Updates to cover these issues and any new attacks. In case of a major issue, X-Force has the option to release an emergency update. The IDS technology is continuing to evolve at a rapid pace to protect against any new evasive techniques and attacks. This ongoing vigilance adds value to our entire protection solution. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5 iQA/AwUBOsuws9/TKefTUYbMEQIR5gCgojR8yAamp/PzzQvctMUzhdvv47kAoKiy ZHWmKYaQCFSA0cbYKX9z27ix =dBt4 -----END PGP SIGNATURE-----