Full Disclosure mailing list archives
Re: Re: pnp worm unknown variant - post infectionactions
From: Valdis.Kletnieks () vt edu
Date: Wed, 17 Aug 2005 12:03:38 -0400
On Wed, 17 Aug 2005 08:16:04 CDT, "Madison, Marc" said:
lab has compiled hashes of know child porn, they use the hashes to perform quick scans of suspected criminals computers in order to facilitate a quicker response to the investigating agency in the case.
OK.. So we found the hash, therefor the guy is guilty..
And if I'm not mistaken Metasploit with out any changes is extremely noisy which makes it easy to identify as Metasploit.
And if we're facilitating a "quicker response", how do we reconcile that with taking the time to identify a Metasploit that *has* been changed to be less noisy? "We found the hash, we didn't see any signs of a stock noisy Metasploit, and it would have taken too long to look for a modified Metasploit version we've never seen before, so the guy is guilty..." I think that's *exactly* the situation that Jason is complaining about...
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: Re: pnp worm unknown variant - post infectionactions Madison, Marc (Aug 17)
- Re: Re: pnp worm unknown variant - post infectionactions Valdis . Kletnieks (Aug 17)
- Re: Re: pnp worm unknown variant - post infectionactions foofus (Aug 17)
- Re: Re: pnp worm unknown variant - post infectionactions Jason Coombs (Aug 17)