Snort mailing list archives

RE: A new variation of CodeRed???????????

From: Neil Dickey <neil () geol niu edu>
Date: Thu, 16 Aug 2001 15:08:46 -0500 (CDT)


"John Davey" <john () davey net au> wrote in response to me:

What you forwarded looks just like what I've been
calling CodeRedII.


Nope. It's different. 
Look at offset 0f0 & 1b0 and you will see some obvious
differences in the payload.


Then Ryan Russell <ryan () securityfocus com> wrote:

CRv1 and CRv2 have portions in them that are variable (self-modifying
code, for example.)  If you exclude those small address ranges from the
sum, it will work.  Every copy of CodeRed II is identical.


Which leads me to ask ( I genuinely don't know .... ) how
significant the differences John pointed out actually are.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

A new variation of CodeRed??????????? John Davey (Aug 16)
- <Possible follow-ups>
- Re: A new variation of CodeRed??????????? Neil Dickey (Aug 16)
  - RE: A new variation of CodeRed??????????? John Davey (Aug 16)
    - MD5 sums for each CodeRed version (was "A new variation of CodeRed???????????") Stephen W. Thompson (Aug 16)
- RE: A new variation of CodeRed??????????? Neil Dickey (Aug 16)