Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: pnp worm unknown variant - post infectionactions

From: Valdis.Kletnieks () vt edu
Date: Wed, 17 Aug 2005 12:03:38 -0400
On Wed, 17 Aug 2005 08:16:04 CDT, "Madison, Marc" said:


lab has compiled hashes of know child porn, they use the hashes to
perform quick scans of suspected criminals computers in order to
facilitate a quicker response to the investigating agency in the case.


OK.. So we found the hash, therefor the guy is guilty..


And if I'm not mistaken Metasploit with out any changes is extremely
noisy which makes it easy to identify as Metasploit.


And if we're facilitating a "quicker response", how do we reconcile that with
taking the time to identify a Metasploit that *has* been changed to be less
noisy?

"We found the hash, we didn't see any signs of a stock noisy Metasploit, and
it would have taken too long to look for a modified Metasploit version we've never
seen before, so the guy is guilty..."

I think that's *exactly* the situation that Jason is complaining about...

Attachment: _bin
Description: 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: