Nmap Script To Look For Arugizer
@ 2010-03-08 16:50:50
Filed under: Code Tech Security
After seeing this fun that is Energizer exploiting their user's systems I decided to try writing an Nmap script to detect an infection. I wasn't able to test it as I don't have an infected system. If you have access to an infected system give it a shot and let me know (I'm ashcrow on Twitter and Identi.ca). Patches welcome of course! I had to use binary data files as I couldn't quickly find a good way to move from hex to binary data.
Note: A matchline has already been committed to nmap. See this post by Skill Security for information on how to update.
Files:
Script: http://www.stevemilner.org/images/arugizer.nse
Binary Send Data: http://www.stevemilner.org/images/arugizer_ping.data
Binary Response Data: http://www.stevemilner.org/images/arugizer_yes.data
The data files need to be placed in /usr/share/nmap/nselib/data/ or wherever your nselib's data is placed.
digg it
seed it
del.icio.us
ma.gnolia
Log in to post comments.
Filed under: Code Tech Security
After seeing this fun that is Energizer exploiting their user's systems I decided to try writing an Nmap script to detect an infection. I wasn't able to test it as I don't have an infected system. If you have access to an infected system give it a shot and let me know (I'm ashcrow on Twitter and Identi.ca). Patches welcome of course! I had to use binary data files as I couldn't quickly find a good way to move from hex to binary data.
Note: A matchline has already been committed to nmap. See this post by Skill Security for information on how to update.
Files:
Script: http://www.stevemilner.org/images/arugizer.nse
Binary Send Data: http://www.stevemilner.org/images/arugizer_ping.data
Binary Response Data: http://www.stevemilner.org/images/arugizer_yes.data
The data files need to be placed in /usr/share/nmap/nselib/data/ or wherever your nselib's data is placed.
description = [[
Checks systems for Arugizer, the energizer bunny trojan.
]]
---
-- @usage
-- nmap --script arugizer.nse <target>
-- @output
-- Host script results:
-- |_ arugizer: Infected
author = "Steve Milner"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "safe", "discovery"}
require("nmap")
-- File that holds the following as found by ron@skullsecurity.net
-- Hex: \xC2\xE5\xE5\xE5\x9E\xA0\xD7\xA4\xA6\xD0\xD5\xDD\xDC\xC8\xD6\xDD\xD7\xD5\xC8\xD1\xD6\x83\x80\xC8\xDD\xA4\xD1\xA1\xC8\xA4\xD2\xD5\xD7\xDD\xA3\xA4\xA1\xDD\xA6\xD7\xDD\x98\xE5
-- ASCII: {E2AC5089-3820-43fe-8A4D-A7028FAD8C28}
f = assert(io.open(nmap.fetchfile('nselib/data/arugizer_ping.data'), "rb"))
ping = f:read("*all")
f:close()
-- File that holds the following as found by ron@skullsecurity.net
-- Hex: \xbc\xa0\xb6
-- ASCII: YES
f = assert(io.open(nmap.fetchfile('nselib/data/arugizer_yes.data'), "rb"))
yes = f:read("*all")
f:close()
--- Rule to decide if the action should take place.
-- We only trigger if the port is 7777
-- @param host The host table from nmap.
-- @param port The port info from nmap.
portrule = function(host, port)
if port.state == "open" and
port.protocol == "tcp" and
port.number == 7777 then
return true
end
return false
end
--- Takes action if the host rule is triggered.
-- Checks if port 7777 responds to known string
-- @param host The host table from nmap.
-- @param port The port info from nmap.
action = function(host, port)
local socket = nmap.new_socket()
socket:set_timeout(1000)
socket:connect(host.ip, 7777)
socket:send(ping)
local status, response = socket:receive()
socket:close()
if (string.sub(response, 0, 3) == yes) then
return "Infected"
end
return "Seems OK ..."
end
Log in to post comments.
