Snort mailing list archives

Adobe's Ducky

From: Adam Shephard <sfnative33 () yahoo com>
Date: Thu, 27 Mar 2003 05:36:48 -0800 (PST)

Hi all,

I'm seeing a number of alerts tagged as "SHELLCODE x86
inc ebx NOOP". Although they are all from and to
different IPs, all of them include "Ducky" and "Adobe"
in them.

In googling for Adobe, Ducky & shellcode, I found a
Sourceforge post from last year identifying that
signature as being hooked to JFIF files. Don't know if
that's accurate or not.

I suppose I could just create an AG and send all the
Ducky stuff there, then ignore that AG. Is there
something more, um, intelligent I should be doing?

Thanks,

Adam

__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com


-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

(no subject), (continued)
- (no subject) jcosta (Feb 27)
  - Re: (no subject) Erek Adams (Feb 27)
  - Re: (no subject) Erick Mechler (Feb 27)
- (no subject) Comcast (Mar 02)
  - Re: (no subject) Erek Adams (Mar 03)
- (no subject) Motif (Mar 07)
- (no subject) ryan stangl (Mar 17)
  - Re: (no subject) Alberto Gonzalez (Mar 18)
- (no subject) aalbert (Mar 25)
- (no subject) Ken Bell (Mar 27)
  - Adobe's Ducky Adam Shephard (Mar 27)