List Info

Thread: Polymorphic Shellcode
Polymorphic Shellcode
user name
 2006-10-10 15:57:25 
This was forwarded over to us. Very interesting content by
Vlad and some
signatures. I've only cleaned them up and posted them, but
DISABLED BY
DEFAULT.

These are HUGE pcre's that will cause a lot of load. I'm
putting them
out to get some testing and feedback. if the idea can be
packed into a
lesser load signature this could be a very significant
advance.

See the posted versions here:
http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/
VIRUS/VIRUS_Polymorphic_Experimental?sortby=date&view=ma
rkup

Please test and let us know how they fare.

Matt

-------- Original Message --------
Subject: Polymorphic Shellcode --snort signatures

For those that werent at toorcon Vlad Tsyrklevich gave a
pretty
awesome talk on some work he did with polymorphic shellcode
encoders.
He was able to fingerprint the generators based on
frequency/spectrum
analysis via custom C code.  The below snort rules are the
results of
his work (some of the results, not all).

(on a sidenote Vlad has ok'd the release of these signatures
in
bleedingedge)

It should be noted that the extensive use of PCRE in these
rules WILL
CAUSE A PERFORMANCE HIT.  But there are plenty of things you
can do to
widdle that hit down to a level that is tolerable for your
enviroment.
If anyone is interested in streamlining the signatures go
for it!

Url to the brief on his talk
http://
toorcon.org/2006/conference.html?id=29


Rules

# You could even do slightly more fingerprinting; however, I
think
this is more then enough to weed out false positives
# EB | OFFSET | 58-5B | 31 | C0,C9,D2,DB | B0-B3 | XX | 8B
(| XX |
05,2D,35,81,C1???) ... (random)
#      	... 40-43,FD,FF | 40-43,FF | 40-43,80,FF |
40-43,E9-EB,FF,80,2C | 40-43,48-4B,E9-EB,01,2C,80 |
48-4C,E9-EB,02,2C
|
#	| 48-4B,03 | 48-4B | 74 | 07 | EB | OFFSET | E8 | OFFSET
alert ip $EXTERNAL_NET any -> $HOME_NET any
(msg:"SHELLCODE CLET
polymorphic payload"; classtype:shellcode-detect; 
	dsize: >40; 
	content: "|74 07 eb|"; 
	content: "|e8|"; distance: 1; within: 1; 
	content: "|ff ff ff|"; distance: 1; within: 3; 
	pcre:
"/xeb.[x58-x5b]x31[xc0xc9xd2xdb][xb0-xb3].x8
b.[x05x2dx35x81xc1]/sm";

	pcre:
"/[x40-x43xfdxff][x40-x43xff][x40-x43x80xff]
[x40-x43xe9-xebxffx80x2c][x40-x43x48-x4bxe9-xeb
x01x2cx80][x48-x4cxe9-xebx02x2c][x03x48-x4b][x4
8-x4b]x74x07xeb.xe8.xffxffxff/smR";)

# Detects payloads <1024 bytes, you could do slightly
more
fingerprinting if you split them up but this should be very
accurate
by itself.
alert ip $EXTERNAL_NET any -> $HOME_NET any
(msg:"SHELLCODE Shikata Ga
Nai polymorphic payload"; classtype:shellcode-detect; 
	dsize: >26; 
	content: "|d9 74 24 f4|"; 
	pcre: "/[x29x2bx31x33]xc9/sm"; 
	pcre:
"/[xd9-xdbxdd].{1,11}xd9x74x24xf4.{0,10}[x58x5
ax5bx5d-x5f]/sm";

# MSF 2
	pcre:
"/([x29x2bx31x33xb8xbaxbbxbexbfxd9-xdbxdd][
^x00xff][^x00xff][^x00][^x00xff][^x00][^x00xff][^
x00xff][^x00][^x00][^x00][^x00xff][^x00xff][^x00xf
f][^x00][^x00][x31x83][x42x43x46x47x50x53x56-x58
x5ax5ex5fx70x72x73x77x78x7ax7bx7exc0xc2xc3xc6
xc7xe8xeaxebxeexef][x04x0ex10x12x13x15x17xfc][
x03x31x83][x42x43x46x47x50x53x56-x58x5ax5ex5f
x70x72x73x77x78x7ax7bx7exc0xc2xc3xc6xc7xe8xea
xebxeexef][x04x0ax0cx0e-x13x15x17xfc][x03x83]..[
^x1dxe2][^x0axf5])|"

# MSF 3
	"([x29x2bx31x33xb8xbaxbbxbd-xbfxd9-xdbxdd]
[^x00][^x00][^x00][^x00][^x00][^x00][^x00][^x00][x2
4xb1xd9-xdbxdd][^x00][x58x5ax5bx5d-x5fxb8xbaxbb
xbd-xbfxd9][^x00][^x00][^x00][^x00][x31x83][x42x4
3x45-x47x50x53x55-x58x5ax5d-x5fx68x6ax6bx6e-x7
0x72x73x75x77x78x7ax7bx7dx7exc0xc2xc3xc5-xc7x
e8xeaxebxed-xef][x04x0ex12x17xfc][x03x31x83][x4
2x43x45-x47x50x53x55-x58x5ax5d-x5fx68x6ax6bx6e
-x70x72x73x75x77x78x7ax7bx7dx7exc0xc2xc3xc5-x
c7xe8xeaxebxed-xef][x04x0ax0ex12x13x17xfc][x03
x83]..[^xe2][^xf5])/sm";)


# You could do slightly more if you wanted. And it could be
done very
accurately dynamically by parsing out useless nops but this
works too.
# No good distinguishing patterns other then E8 XX FF FF
FF... Oh, and
if you wanted to re-write this using byte_jumps it would be
REALLY
good because all of these loops/calls/jmps land exactly on
an
instruction so you dont have to do .{0,20} but I don't have
the
time... do you? 
alert ip $EXTERNAL_NET any -> $HOME_NET any
(msg:"SHELLCODE ADMutate
polymorphic payload"; classtype:shellcode-detect; 
	dsize: >45; 
	content: "|e8|"; 
	content: "|ff ff ff|"; distance: 1; within: 3; 
	pcre:
"/xeb[x26-x7a].{0,20}(x5e|x58x96|x58x89xc6|x8
bx34x24x83xecx04).{0,20}(((xbb....|x68....x5b).{0,20
}(x31xc9|x31xc0x91))|((x31xc9|x31xc0x91).{0,20}(x
bb....|x68....x5b))).{0,20}(xb1.|x6a.x58x89xc1|x6a.
x66x59).{0,20}(x31x1e|x93x31x06x93|x8bx06x09xd8x
21x1exf7x16x21x06).{0,20}(x46|x83xc6x01|x96x40x9
6).{0,20}(x46|x83xc6x01|x96x40x96).{0,20}(x46|x83x
c6x01|x96x40x96).{0,20}(x46|x83xc6x01|x96x40x96).
{0,20}xe2[xa0-xf9].{0,20}xeb[x06-x20].{0,20}xe8[x7f-
xff]xffxffxff/sm";)

-- 
--------------------------------------------
Matthew Jonkman, CISSP
765-429-0398 Direct
http://my.infotex.com
http://www.infotex.com
http://www.bleedingsnort
.com
--------------------------------------------


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )