Security Incidents mailing list archives

Re: What if CodeRed encoded it's HTTP requests?

From: Jose Nazario <jose () biocserver BIOC cwru edu>
Date: Mon, 20 Aug 2001 11:39:40 -0400 (EDT)

On Mon, 20 Aug 2001, Nuno Mendes wrote:

I was just checking how many CodeRed I and II attempts I had on my
Linux based Apache server, and figuring out what if a new version of
the worm encoded 'degault.ida' in hexadecimal? Or even the data that
causes the buffer overflow?


check out whisker and ADMmutate, both of which use encoding to obfuscate
the strings they send. they help kill signature based IDS work. and more
than hex, unicode, with even more possibilities.

http://www.wiretrip.net/rfp/
http://ktwo.ca/

____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

What if CodeRed encoded it's HTTP requests? Nuno Mendes (Aug 20)
- Re: What if CodeRed encoded it's HTTP requests? Ryan Russell (Aug 20)
- Re: What if CodeRed encoded it's HTTP requests? Jose Nazario (Aug 20)