From: InfoSec News (isnC4I.ORG)
Date: Mon Apr 02 2001 - 16:35:15 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://news.cnet.com/news/0-1003-200-5423454.html?tag=mn_hd

By Robert Lemos
Special to CNET News.com
April 2, 2001, 2:10 p.m. PT

A new technique for disguising programs aimed at cracking corporate
networks could raise the stakes in the heated battle between hackers
and security experts.

During a seminar last week at the CanSecWest conference in Vancouver,
British Columbia, a hacker named "K2" revealed a program he created
that can camouflage the tiny programs that malicious hackers generally
use to crack through system security.

The cloaking technique is aimed at foiling the pattern-recognition
intelligence used by many intrusion detection systems, or IDSes--the
burglar alarms of the Internet.

"Trust me, this will blow away any pattern matching," said K2. The
hacker would not reveal his real name because he also works as a
security consultant.

When a security hole is found on a corporate network, hackers usually
will find several ways to exploit it. To manage the onslaught, the
makers of intrusion-detection systems continually update their own
software to keep track of new variants of an already familiar theme.

Now the balance has changed, K2 said. With a technique called
polymorphic coding, attackers could potentially change the code
structure enough to fool many intrusion-detection systems--but not
enough to break the initial malicious program.

"This is a way to keep the exploits brand-new, all the time," he said.

Reaction to the program among security consultants was mixed. Some
downplayed the significance as a typical scenario in the battle
between attackers and defenders.

"Intrusion detection is an arms race," said Martin Roesch, president
of security software start-up SourceFire and the creator of the
popular IDS known as Snort. "It is measure, countermeasure."

Roesch has already started to improve Snort against techniques such as
K2's. "Rather than a single signature we will have to go with
multifaceted rules," he explained.

However, the development has other security experts concerned that, in
the time it takes for intrusion-detection system makers to modify
their products, online vandals could have a field day.

"If (K2's) code is adopted en masse, it could make our lives a pain,"
said Greg Shipley, director of consulting services for Chicago-based
security consulting firm Neohapsis.

Shipley likened today's intrusion-detection system to antivirus
scanners, where each tries to match program signatures to a dictionary
of malicious code. Like antivirus scanners, the pattern-matching
technology is fallible.

"If these systems were perfect, the Melissa virus would never have
happened," he said. "It's reason No. 577 to patch your servers."

Dragos Ruiu, security consultant and host of the CanSecWest
conference, said the program marks only a temporary setback for makers
of intrusion-detection systems.

"K2 has removed something that could have been a defensive bullet,"
said Ruiu, pointing to the high expectations the industry has for
intrusion detections systems. "We are back to the point where we are
even" with the attackers, he added.

But even K2 doesn't believe the polymorphic technique will spread
quickly. Getting everything to work properly is just too difficult, he
said.

"It's not really a (script) kiddie application," K2 said, referring to
the lowest form of Internet hack. "It requires a lot of skill, and
anyone who does have the skill will be the guy to discover the
vulnerabilities first."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]