Nelson Brito wrote: > 1. Slammer was the very first Flash Worm, Well, no, actually, Slammer was not a flash worm. A flash worm is a worm which follows a precomputed spreading path, by using prior knowledge of all the systems that are vulnerable to the particular exploit in use. And Slammer didn't. It is actually akin to a Warhol worm. > dissemination, it only took 15 minutes to crash all the Internet > infra-structure How exagerate ;) > we didn't learn how to deal with worms Nope, we didn't. But people stopped writing worms, because writing bots is much more rewarding, economically. > -[ Polymorphic Code > > This is not a new topic No, indeed, it's very old. > for years and years, but all our attention was gave to the shellcode. Well, actually that's because the polymorphic code for viruses and worms came even before, and was already a beaten issue. > even during my research, when I talked to someone about the perspective of > having a real polymorphic code, people always got confused with polymorphic > shellcode. Strange, usually it's the other way round. > Polymorphic code means that a code will change every time it executes, > making it unpredictable. What we have, so far, are static codes, and I never > saw any “dynamic” code exploiting any vulnerability. Didn't you mention you were NOT thinking of polymorphic SHELL-code, but polymorphic code ? >That is the reason some > IPS/IDS can easily add signatures. Well, actually shellcode signatures are common, but they are not the reason. And, signature based IPS/IDS have so many faults that you don't really need polymorphic (shell)code to fool them. > Now, we know how we must build the exploit, and I think we can do a great > job randomizing all the fields. Here are the fields ENG needs to deal with: > attack vector, buffer, return address, jumps, writable address, nops, and > shellcode. This is what most of us would call "obfuscating an attack", or "mutating an attack". Just so that you know, a tool named SPLOIT was already made to perform a number of mutations over exploits (at this and other levels). Thanks for the write up. It's an handy cheat sheet for some things. > I do hope I could proof all the concepts behind this idea, Yep, well, you could just mention them. We already knew them ;-) And, I don't see how these have to do with making a Warhol worm more dangerous. Signature-based systems will never be useful against a Warhol worm in any case, because the updates will simply be too late. SZ
