Honeypots mailing list archives
Re: sebek as a patch?
From: Edward Balas <ebalas () iu edu>
Date: Fri, 07 Oct 2005 07:18:58 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Daniel J. Axtens wrote:
Possible, but not very practical.I thought there might be some problems with that approach :) Another approach I thought of was to hide the module the same way the adore worm is hidden - but this would still be vulnerable to pattern matching. Perhaps encryption is the way to go - the only problem then is that you need a decryptor, which is then *itself* vulnerable to pattern matching. Maybe we should look to the enemy for solutions: could polymorphic virus techniques help here? Another random (and probably useless :) idea, Daniel Axtens
FWIW, the original Sebek was based on Adore. Today its hiding is conceptually simliar, with the addition of some packet hiding stuff. This is starting to sound a lot like actual work, and makes me wonder if we putting a lot of effort mitigating a threat vs a risk ;-) Edward -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFDRmeylKB5oSzVKwoRAr0PAJwMIVPBbQZOONO8smFFYbw6BCYPswCfSHsF zZu6d323XURE+4c8OtOHQ+E= =ClCX -----END PGP SIGNATURE-----
Current thread:
- Re: sebek as a patch?, (continued)
- Re: sebek as a patch? Thorsten Holz (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? NAHieu (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 05)
- Re: sebek as a patch? Daniel J. Axtens (Oct 06)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
- Re: sebek as a patch? Edward Balas (Oct 06)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
- Re: sebek as a patch? Daniel J. Axtens (Oct 07)
- Re: sebek as a patch? Edward Balas (Oct 07)
- Re: sebek as a patch? Thorsten Holz (Oct 05)