[Dshield] Disassembly...

John D. lists at webcrunchers.com
Thu Aug 14 19:27:03 GMT 2003

>I would be more interested in the binaries of the actual exploit. Mostly 
>I wanted to watch a system get infected/compromised live for forensic 
>purposes but my ISP is already blocking the ports related to the virus.

When ISP's start blocking ports like this,  is it permenent?   or will they eventually open them again when they think the threat is over.
>Is there a way I could get a copy of any binaries associated with this 
>virus along with the disassembly? Also, if you have it, a tcpdump 
>session of the attack would be most helpful - in fact, thats really all 
>I need. I can get the binaries out of that (which is my goal, along with 
>tracing the infection/attack process).

Are you looking to find its signature?   i'm told a snort rule already exists and was posted to the list.


More information about the list mailing list