Basically, there are two approaches to network intrusion detection: signature detection, and
anomaly detection. The signature detection approach utilizes well-known signatures for network
traffic to identify potentially malicious traffic. The anomaly detection approach utilizes a previous
history of network traffic to search for patterns that are abnormal, which would indicate an
intrusion. How can an attacker disguise his buffer overflow attack signature such that there is a
greater probability of his attack going undetected by the IDS?
A.
He can use a shellcode that will perform a reverse telnet back to his machine
B.
He can use a dynamic return address to overwrite the correct value in the target machine
computer memory
C.
He can chain NOOP instructions into a NOOP “sled” that advances the processor’s instruction
pointer to a random place of choice
D.
He can use polymorphic shell code-with a tool such as ADMmutate – to change the signature of
his exploit as seen by a network IDS
Explanation:
ADMmutate is using a polymorphic technique designed to circumvent certain forms
of signature based intrusion detection. All network based remote buffer overflow exploits have
similarities in how they function. ADMmutate has the ability to emulate the protocol of the service
the attacker is attempting to exploit. The data payload (sometimes referred to as an egg) contains
the instructions the attacker wants to execute on the target machine. These eggs are generally
interchangeable and can be utilized in many different buffer overflow exploits. ADMmutate uses
several techniques to randomize the contents of the egg in any given buffer overflow exploit. This
randomization effectively changes the content or ‘signature’ of the exploit without changing the
functionality of the exploit.
D