Arms race for intrusion detection
"Intrusion detection is an arms race," said Martin Roesch, president of security software start-up SourceFire and the creator of the popular IDS known as Snort. "It is measure, countermeasure." Roesch has already started to improve Snort against techniques such as K2's. "Rather than a single signature we will have to go with multifaceted rules," he explained.
However, the development has other security experts concerned that, in the time it takes for intrusion-detection system makers to modify their products, online vandals could have a field day. "If (K2's) code is adopted en masse, it could make our lives a pain," said Greg Shipley, director of consulting services for security consulting firm Neohapsis.
Shipley likened today's intrusion-detection system to antivirus scanners, where each tries to match program signatures to a dictionary of malicious code. Like antivirus scanners, the pattern-matching technology is fallible.
"If these systems were perfect, the Melissa virus would never have happened," he said. "It's reason No. 577 to patch your servers." Dragos Ruiu, security consultant and host of the CanSecWest conference, said the program marks only a temporary setback for makers of intrusion-detection systems.
"K2 has removed something that could have been a defensive bullet," said Ruiu, pointing to the high expectations the industry has for intrusion detections systems. "We are back to the point where we are even" with the attackers, he added.
But even K2 doesn't believe the polymorphic technique will spread quickly. Getting everything to work properly is just too difficult, he said.
"It's not really a (script) kiddie application," K2 said, referring to the lowest form of Internet hack. "It requires a lot of skill, and anyone who does have the skill will be the guy to discover the vulnerabilities first."
