On Mon, 20 Aug 2001, Nuno Mendes wrote: > I was just checking how many CodeRed I and II attempts I had on my > Linux based Apache server, and figuring out what if a new version of > the worm encoded 'degault.ida' in hexadecimal? Or even the data that > causes the buffer overflow? check out whisker and ADMmutate, both of which use encoding to obfuscate the strings they send. they help kill signature based IDS work. and more than hex, unicode, with even more possibilities. http://www.wiretrip.net/rfp/ http://ktwo.ca/ ____________________________ jose nazario joseat_private PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 20 2001 - 10:02:41 PDT