Re: [PATCH] Replace kibuvDetection.nse with service matchline

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 25 May 2008 17:07:28 -0500 or thereabouts Kris Katterjohn
<katterjohn () gmail com> wrote:

> +match backdoor m|^220 (Stny|fuck)Ftpd 0wns j0\r?\n| p/Kibuv.b worm/
> i/**BACKDOOR**/ o/Windows/

Hi Kris,

Good change.  We used to have so many hundreds of these infections a
few years ago that this banner is permanently ingrained in my memory :-(

A few points which I don't think will help find more of these but I'll
put down here anyways.

* As far as I know the "fuck" variant was just a hex-edited version
that replace Stny that didn't spread anywhere close to as much as the
original.

* I'm pretty sure not all variants used the same capitalization on Stny
or Ftpd.

* This banner was so well known and well matched that later variants
would randomly replace some characters in the banner with '.' like so:

"220 S.ny.tp. ..ns .0"

* Later variants started to replace all chars with periods like so:

"220 ........ .... .."


This malware is old enough and rare enough now that it probably doesn't
matter but we might try adding a second match line after your first one
like so:

match backdoor m|^220 [Sf.][tu.][nc.][yk.][.F][t.][p.][d.] [0.][w.][n.][s.] [j.][0.]\r?\n|i p/Generic Kibuv worm/ 
i/**BACKDOOR**/ o/Windows/

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEUEARECAAYFAkg556EACgkQqaGPzAsl94JN7QCfcaozmX/ahZuuTsneiDLGEaHI
me8Al3p3HOJeMBamX4wxXhvzrxnbzRU=
=w6rK
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org