[Emerging-Sigs] Storm Changes
Matt Jonkman
jonkman at jonkmans.com
Wed Mar 5 11:13:18 EST 2008
Correction: wasn't a key change, the old sigs were looking into the peer
hash and shouldn't have been. For some reason that stayed mostly static
till now, but has definitely changed.
I've adjusted the existing encrypted storm sigs to hit correctly. Please
report any issues!
Matt
Matt Jonkman wrote:
> Two new rules out for Storm. We have new samples that are mutating every
> time they execute. Where we had one encryption/obfuscation key for the
> last couple months, we now appear to have a new one for every execution.
>
> 2007915 and 2007916 are out. They should be reliable, but may change as
> we begin to understand more of what this thing is doing.
>
> Matt
>
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list