Security Incidents mailing list archives
Determining Version
From: Ryan Russell <ryan () securityfocus com>
Date: Wed, 1 Aug 2001 12:49:11 -0600 (MDT)
I've had someone request that I post to the list how I'm determining that I'm seeing CRv2, and not some other variant. First off, I'm just grabbing copies with netcat: nc -l -p 80 > gotcha Everytime BlackICE Defender goes off with the "Suspicious URL", I ctrl-C the Netcat, rename gotcha to gotcha#, and then restart the netcat program above. Then, I do a fc: C:\codered>fc /b gotcha6 gotcha7 Comparing files gotcha6 and gotcha7 00000CDC: 3B 4B 00000CDD: E0 00 00000CDE: 41 42 00000CE0: 00 56 00000CE1: 01 34 00000CE2: 00 12 00000CE3: 00 B8 00000D04: 9A FA 00000D05: 18 41 00000D06: 47 B0 CD4-CEC is marked as "Padding Bytes", and D02-D07 is marked as "self modifiying code". See eEye disassembly of CRv1. As long as the version you get doesn't vary outside of those byte ranges, it should be CRv2. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Determining Version Ryan Russell (Aug 01)