Filed under: Malware, Nmap, Reverse Engineering
Now that we know what we need to send and receive, and how it's encoded, let's generate the actual packet. Then, once we're sure it's working, we'll convert it into an Nmap probe! In most of this section, I assume you're running Linux, Mac, or some other operating system with a built-in compiler and useful [...]
Read MoreFiled under: Malware, Nmap, Reverse Engineering
In Part 2: runtime analysis, we discovered some important addresses in the Energizer Trojan -- specifically, the addresses that make the call to recv() data. Be sure to read that section before reading this one. Now that we have some starting addresses, we can move on to a disassembler and look at what the code's [...]
Read MoreFiled under: Malware, Nmap, Reverse Engineering
In Part 1: setup, we infected the system with the Trojan. It should still be running on the victim machine. If you haven't read that section, I strongly recommend you go back and read it. Now that we've infected a test machine, the goal of this step is to experiment a little with the debugger [...]
Read MoreFiled under: Malware, Nmap, Reverse Engineering
Hey all, As most of you know, a Trojan was recently discovered in the software for Energizer's USB battery charger. Following its release, I wrote an Nmap probe to detect the Trojan and HDMoore wrote a Metasploit module to exploit it. I mentioned in my last post that it was a nice sample to study [...]
Read MoreHey, I don't usually write two posts in one day, but today is a special occasion! I was reading my news feeds (well, my co-op student (ie, intern) was -- I was doing paperwork), and noticed a story about a remote backdoor being included with the Energizer UsbCharger software. Too funny!
Read MoreFiled under: Malware, Nmap, Tools
Greetings! I found this excellent writeup of a Web-server botnet on Slashdot this weekend. Since it sounded like just the thing for Nmap to detect, I wrote a quick script!
Read MoreHi everybody, With the help of Symantec's Security Intelligence Analysis Team, I've put together a script that'll detect Conficker (.C and up) based on its peer to peer ports. The script is called p2p-conficker.nse, and automatically runs against any Windows system when scripts are being used: nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns \ --script-args=safe=1 -T4 -p445 <host> or [...]
Read MoreFiled under: Malware, NetBIOS/SMB
Morning, all! Last night Fyodor and crew rolled out Nmap 4.85beta7. This was because some folks from the Honeynet Project discovered a false negative (showed no infection where an infection was present), which was then confirmed by Tenable. We decided to be on the safe side, and updated our checks. 4.85 also contains several bugfixes [...]
Read MoreFiled under: Malware, NetBIOS/SMB
Using Nmap to scan for the famous Conficker worm.
Read More