He was wrong. The major IDSs rarely trigger on shellcode. Snort relies more on shellcode than many, but if you look at its signatures, you'll find that only a couple percent trigger on shellcode. When you restrict you analysis to just those signatures for the major vulnerabilities, I think that 0% of Snort's signatures use shellcode. The same applies to McAfee, Cisco, 3com, Juniper, and of course the IDS I created, IBM/ISS Proventia. I have probably written more IDS signatures than anybody else on the planet, and I have never written one that triggers on shellcode.
If an IDS does not trigger on shellcode, then polymorphic shellcode will not evade it. (An obvious point, but humorously, many people miss this).
An example of a signature (written in Snort syntax) would be the following for the Slammer bug:
alert udp any any -> any 1434 (\
msg:"MS-SQL version overflow attempt"; \
content:"|04|"; depth:1; \
This signature does not trigger on the shellcode, therefore ADMmutate will not evade it.
While the high-end IDS avoids triggering on shellcode, low-end products do something else. One off the most common signatures in low-end products is just triggering on strings like "AAAAAAAA" that appear in proof-of-concept (PoC) exploits. These are non-functional exploits that do little more than cause a crash demonstrating that the "got execution" when it tries to execute code at 0x41414141. They then claim "0-day protection" for the vulnerability, and IDS-reviewers confirm that by testing with the PoCs. Again, polymorphic-shellcode won't really help evade these crappy products, because ANY real shellcode would evade them.
The most common signature for exploits isn't shellcode at all, but triggering on the shellprompt. For example, the Windows cmd.exe shell prompt displays:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
Fancy IDS evasion tools like Core Impact, Metasploit, and Canvas still get caught because of shellprompt signatures. We recently added what we humorously called "Advanced Shell Prompt Evasion" to Metasploit to get rid of this nonsense. The humor is derived from the fact that launching "cmd /k" instead of "cmd" gets rid of the prompt, so it's not really advanced. The irony is that it actually does a better job of evading IDSs than ADMmutate does. There was a time when ADMmutate was important, but it that was half a decade ago.