worm design (Re: Level3 routing issues?)

E.B. Dreger eddy+public+spam at noc.everquick.net
Sat Jan 25 21:09:26 UTC 2003


MS> Date: Sat, 25 Jan 2003 10:17:01 -0800 (PST)
MS> From: Marc Slemko


MS> It is interesting to note that one inadvertent advantage of open
MS> source (when it requires people to compile from source, and pick
MS> and choose options at compile time... popular distributions with
MS> precompiled packages obviously break this to a certain degree) is
MS> that it leads to a much more heterogenous set of software WRT
MS> attacks like buffer overflows.

1. Position-relative opcodes used in shellcode
2. Syscalls triggered via a software trap, not subroutine call
3. Dynamic linking involves fixups stored in the binary
4. Activate a syscall, then check the stack to find %eip


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist at brics.com>
To: blacklist at brics.com
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <blacklist at brics.com>, or you are likely to
be blocked.




More information about the NANOG mailing list