Evading Intruder Detection Systems

IDSs fall into two categories:

• Signature based Detects well-known attacks for which there are signatures

• Anomaly based Records what is normal activity on a network for a short learning period and then alerts you when network traffic deviates from what is considered authorized activity

Signature-based IDS devices are easier to circumvent than anomaly-based ones. Because signature-based IDSs depend on patterns (or signatures) of attacks, you can circumvent the IDS by launching an attack that does not match the patterns it is looking for. Two methods of bypassing IDS devices are as follows:

• Encryption

• Exploit mutation

Because signature-based IDS devices are looking for common patterns for known attacks, encrypting your data changes the appearance of your packets so that they can be passed undetected. Typically, you employ the use of encrypted communication when you are using a remote access Trojan. For example, NCrypt (http://ncrypt.sourceforge.net/) is an encrypted version of NetCat (discussed in Chapter 12, "Using Trojans and Backdoor Applications"). Signature-based IDS devices might be able to detect the use of NetCat, but NCrypt encrypts your NetCat traffic using Rijndael, Serpent, or Twofish encryption so that your attack is not detected.

An alternative to encryption is to mutate, or morph, your attack so that it has a different signature. For example, many IDS devices watch for a stream of packets with the payload of 0x90, which is the NOP code that is often used in buffer overflow exploits. (For more on buffer overflows, see Chapter 14, "Understanding and Attempting Buffer Overflows.") To change the attack so that it cannot be detected, you need to change the code so that it replaces 0x90 (the NOP code) with functionally equivalent code. The Admutate program (http://www.ktwo.ca/) does just that. It has more than 50 different replacements that exchange the NOP code with equivalent code that is unique (and therefore undetectable by signature-based IDS devices).