Phrack 59 appeared in late December and has been my reading project this month. Continuing the discipline of reading carefully.
What is in the issue
The articles I found most useful:
An advanced article on shellcode techniques. Specifically, techniques for polymorphic shellcode that varies its byte sequence while maintaining the same functionality. This is the response to signature-based detection — instead of writing one shellcode that gets a signature, write generation tools that produce many variants of equivalent shellcode. The technique is general; the defensive implication is that signature-based detection of shellcode is becoming less reliable.
A piece on kernel-rootkit detection from outside the host. The author describes techniques for using hardware-level access (specifically, accessing memory through PCI-bus interfaces) to inspect kernel state without going through any compromised software. The principle is the off-host observation discipline I have been writing about, taken further — the observation can be off-CPU as well.
A long article on the architecture of modern worm kits. Not a how-to; an analysis of what made Code Red and Nimda operationally effective and what the next generation will likely include. The analysis is consistent with what I have been writing; the specifics are more detailed.
What I take from this issue
Three things.
Signature-based detection is reaching its operational limits. The shellcode-polymorphism work is going to make IDS signatures progressively less reliable. The defensive response has to be behavioural detection — patterns of action rather than patterns of bytes. This is harder, slower, and produces more false positives. It is also necessary.
Hardware-level observation is the next defensive frontier. Once kernel rootkits can hide reliably from software-level inspection, the only reliable observation is at the hardware level. This requires specialised tooling that does not yet exist for most platforms; it will, eventually.
The worm-kit analysis is a useful reference. Anyone planning defences for the next worm should read it to calibrate against likely capabilities.
What this changes about my advice
The defensive disciplines do not change much:
- Patch promptly.
- Defence in depth.
- Off-host monitoring.
- Behavioural pattern detection where possible.
- Continued calibrated humility about what will and will not work.
The specific tooling is shifting, but the principles are stable.
A closing reflection
Phrack continues to be the most useful publication I read regularly. The articles are technical to the point of being practically useful; the writing assumes a reader who can use the techniques rather than just observe them.
For anyone working in security defence who has not read Phrack carefully: the discipline is worth establishing. One issue every few months produces more practical knowledge than dozens of vendor-marketing articles in commercial security press.
More as the year develops.