Honeypots mailing list archives
Re: sebek as a patch?
From: "Daniel J. Axtens" <danielax () gmail com>
Date: Fri, 7 Oct 2005 19:25:42 +0800
Possible, but not very practical.
I thought there might be some problems with that approach :) Another approach I thought of was to hide the module the same way the adore worm is hidden - but this would still be vulnerable to pattern matching. Perhaps encryption is the way to go - the only problem then is that you need a decryptor, which is then *itself* vulnerable to pattern matching. Maybe we should look to the enemy for solutions: could polymorphic virus techniques help here? Another random (and probably useless :) idea, Daniel Axtens
Current thread:
- Re: sebek as a patch?, (continued)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? Thorsten Holz (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? NAHieu (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 05)
- Re: sebek as a patch? Daniel J. Axtens (Oct 06)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
- Re: sebek as a patch? Edward Balas (Oct 06)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
- Re: sebek as a patch? Daniel J. Axtens (Oct 07)
- Re: sebek as a patch? Edward Balas (Oct 07)
- Re: sebek as a patch? Thorsten Holz (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)