Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: [PATCH] Rustock backdoor SMTP service detection

[PATCH] Rustock backdoor SMTP service detection

From: Brandon Enright <bmenrigh_at_ucsd.edu>
Date: Thu, 19 Apr 2007 02:57:51 +0000

Developers,

Attached is a patch against the latest svn nmap-service-probes file adding
detection for a new variant of Rustock that opens a backdoor SMTP service
on port 25. This particular variant is rather insidious and isn't yet
(according to www.virustotal.com) detected by any AV.

It produces output like so:

PORT STATE SERVICE VERSION
25/tcp open smtp Rustock smtp backdoor (**BACKDOOR**)
Service Info: OS: Windows

This service doesn't provide much (unique) text to match on but it luckily
responds to the Hello and Help probes. I'm fairly confident that this
match will not falsely implicate any existing or future SMTP services.

I wasn't sure if it was better to add the match line under the Hello or
Help probe so I arbitrarily picked Hello. The match is the same for either
so it can be moved in need-be. If one is better than the other for this
match or if there are trade-offs/differences I'd like to hear about them
(offlist?).

Please let me know if there are any questions,

Brandon 

-- 
Brandon Enright
Network Security Analyst
UCSD ACS/Network Operations
bmenrigh_at_ucsd.edu

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Received on Apr 18 2007
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos