This applies more to AVs than IPS, but is yet another thing for IDS sig
developers to be aware of:
-
http://www.breakingpointsystems.com/community/blog/evasion-with-ole2-fragmentation"At BreakingPoint, we provide comprehensive coverage of Microsoft Tuesday
patches. This Tuesday was no different and we released StrikePacks 45799
and 45800 to cover MS09-017 (the PowerPoint vulnerabilities). In addition
to writing exploits for these flaws, we also research application-specific
evasion methods. In the case of file format flaws, we support evasion at
every level, including techniques like IP fragmentation, alternate MIME
encodings, HTTP compression, and data randomization within the files
themselves. While working on Strike coverage for MS09-017, we discovered a
simple way to bypass mainstream anti-virus and IPS signatures for
malicious Office documents. This post talks about the method we used and
some of our test results against popular anti-virus products."
-HD
