> List: full-disclosure > Subject: Re: [Full-disclosure] NUL Character Evasion > From: fd () ew ! nsci ! us > Date: 2005-09-15 19:57:30 > > > > On Thu, 15 Sep 2005, Williams, James K wrote: > > > List: full-disclosure > > > Subject: [Full-disclosure] NUL Character Evasion > > > From: ju () heisec ! de > > > Date: 2005-09-13 21:24:42 > > > > Thank you for the report. Computer Associates is currently > > investigating the issue (as it relates to CA products). > > > > Regards, > > kw > > Ken, > > How long until this update hits your product? > > -Eric > > -- > Eric Wheeler
As initially suspected, from the AV signature perspective, this is not a critical issue until and unless something specific shows up in the wild or is reported to a vendor. The NUL char insertion concept is similar in theory to, for example, K2's classic ADMmutate[1] polymorphic shellcode engine for NIDS evasion, or simply adding NOPs to an executable. Alex and Neel[2] discussed this class of AV vulns at core05 and Blackhat. Regards, kw [1] http://www.ktwo.ca/security.html [2] http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-wheeler.pdf _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
