Informative Information for the Uninformed | ||||||||||||||
|
||||||||||||||
Context-keyed Payload Encoding
Preventing Payload Disclosure via Context
October, 2007 I)ruid, C ISSP <druid@caughq.org> http://druid.caughq.org
Abstract:
A common goal of payload encoders is to evade a third-party detection mechanism which
is actively observing attack traffic somewhere along the route from an attacker
to their target, filtering on commonly used payload instructions. The use of
a payload encoder may be easily detected and blocked as well as opening up the
opportunity for the payload to be decoded for further analysis. Even
so-called keyed encoders utilize easily observable, recoverable, or guessable
key values in their encoding algorithm, thus making decoding on-the-fly
trivial once the encoding algorithm is identified. It is feasible that an
active observer may make use of the inherent functionality of the decoder stub
to decode the payload of a suspected exploit in order to inspect the contents
of that payload and make a control decision about the network traffic. This
paper presents a new method of keying an encoder which is based entirely on
contextual information that is predictable or known about the target by the
attacker and constructible or recoverable by the decoder stub when executed at
the target. An active observer of the attack traffic however should be unable
to decode the payload due to lack of the contextual keying information.
|