|
Written by Matt Jonkman
|
|
Wednesday, 05 March 2008 |
|
Two new rules out for Storm. We have new samples that are mutating every time they execute. Where we had one encryption/obfuscation key for the last couple months, we now appear to have a new one for every execution. UPDATE: Doesn't appear to be a new key. The old sigs which had worked for about 3 months were looking at the first 4 bytes, which includes part of the peer id hash. For some reason that held static but is no longer. The existing encrypted storm sigs have been adjusted and should be more accurate. Please report any issues: http://doc.emergingthreats.net/2007701 http://doc.emergingthreats.net/2007702
Matt
|
|
Last Updated ( Wednesday, 05 March 2008 )
|
