A suggestion to Concept/Nimda analysts

From: Stuart Staniford (stuartat_private)
Date: Tue Sep 18 2001 - 11:04:31 PDT

Next message: Don Weber: "is this new"

Previous message: Florian Piekert: "Fwd: Massive CMD.EXE and ROOT.EXE scan"
In reply to: Olle Segerdahl: "Concept Virus(CV) V.5 - Quick analysis update"
Next in thread: Brian Pomeroy: "Re: Concept Virus(CV) V.5 - Quick analysis update"
Next in thread: Mark Challender: "RE: Concept Virus(CV) V.5 - Advisory and Quick analysis"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Given the timing of the launch of this thing (almost exactly a week after
the WTC attack), it seems important to understand the payload as quickly as
possible.  I suggest looking for time-based switches in the code.  If it
were to have some damage mode, it might well spread for a while and then
switch to causing some other kind of damage.  So looking at the code right
after a call to get the system time might be very valuable.

Stuart.

-- 
Stuart Staniford     ---     President     ---     Silicon Defense
         ** Silicon Defense: Technical Support for Snort **
mailto:stuartat_private  http://www.silicondefense.com/
(707) 445-4355 x 16                           (707) 445-4222 (FAX)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Don Weber: "is this new"
Previous message: Florian Piekert: "Fwd: Massive CMD.EXE and ROOT.EXE scan"
In reply to: Olle Segerdahl: "Concept Virus(CV) V.5 - Quick analysis update"
Next in thread: Brian Pomeroy: "Re: Concept Virus(CV) V.5 - Quick analysis update"
Next in thread: Mark Challender: "RE: Concept Virus(CV) V.5 - Advisory and Quick analysis"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 11:45:59 PDT