Honeypots mailing list archives

Re: sebek as a patch?

From: Edward Balas <ebalas () iu edu>
Date: Fri, 07 Oct 2005 07:18:58 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel J. Axtens wrote:

Possible, but not very practical.


I thought there might be some problems with that approach :)

Another approach I thought of was to hide the module the same way the
adore worm is hidden - but this would still be vulnerable to pattern
matching. Perhaps encryption is the way to go - the only problem then
is that you need a decryptor, which is then *itself* vulnerable to
pattern matching.

Maybe we should look to the enemy for solutions: could polymorphic
virus techniques help here?

Another random (and probably useless :) idea,
Daniel Axtens


FWIW,  the original Sebek was based on Adore.  Today its hiding is
conceptually
simliar, with the addition of some packet hiding stuff.

This is starting to sound a lot like actual work, and makes me wonder
if we
putting a lot of effort mitigating a threat vs a risk ;-)

Edward



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFDRmeylKB5oSzVKwoRAr0PAJwMIVPBbQZOONO8smFFYbw6BCYPswCfSHsF
zZu6d323XURE+4c8OtOHQ+E=
=ClCX
-----END PGP SIGNATURE-----

Current thread:

Re: sebek as a patch?, (continued)
- - Re: sebek as a patch? Thorsten Holz (Oct 05)
    - Re: sebek as a patch? Edward Balas (Oct 05)
    - Re: sebek as a patch? NAHieu (Oct 05)
    - Re: sebek as a patch? Edward Balas (Oct 05)
    - Re: sebek as a patch? Valdis . Kletnieks (Oct 05)
    - Re: sebek as a patch? Daniel J. Axtens (Oct 06)
    - Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
    - Re: sebek as a patch? Edward Balas (Oct 06)
    - Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
    - Re: sebek as a patch? Daniel J. Axtens (Oct 07)
    - Re: sebek as a patch? Edward Balas (Oct 07)