|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Ryan Russell (ryan
securityfocus.com)Date: Wed Aug 01 2001 - 13:49:11 CDT
I've had someone request that I post to the list how I'm determining that
I'm seeing CRv2, and not some other variant.
First off, I'm just grabbing copies with netcat:
nc -l -p 80 > gotcha
Everytime BlackICE Defender goes off with the "Suspicious URL", I ctrl-C
the Netcat, rename gotcha to gotcha#, and then restart the netcat program
above.
Then, I do a fc:
C:\codered>fc /b gotcha6 gotcha7
Comparing files gotcha6 and gotcha7
00000CDC: 3B 4B
00000CDD: E0 00
00000CDE: 41 42
00000CE0: 00 56
00000CE1: 01 34
00000CE2: 00 12
00000CE3: 00 B8
00000D04: 9A FA
00000D05: 18 41
00000D06: 47 B0
CD4-CEC is marked as "Padding Bytes", and D02-D07 is marked as "self
modifiying code". See eEye disassembly of CRv1. As long as the version
you get doesn't vary outside of those byte ranges, it should be CRv2.
Ryan
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]