Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

A suggestion to Concept/Nimda analysts

From: Stuart Staniford <stuart () silicondefense com>
Date: Tue, 18 Sep 2001 11:04:31 -0700

Given the timing of the launch of this thing (almost exactly a week after
the WTC attack), it seems important to understand the payload as quickly as
possible.  I suggest looking for time-based switches in the code.  If it
were to have some damage mode, it might well spread for a while and then
switch to causing some other kind of damage.  So looking at the code right
after a call to get the system time might be very valuable.

Stuart.

-- 
Stuart Staniford     ---     President     ---     Silicon Defense
         ** Silicon Defense: Technical Support for Snort **
mailto:stuart () silicondefense com  http://www.silicondefense.com/
(707) 445-4355 x 16                           (707) 445-4222 (FAX)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: