Nmap Development mailing list archives
[PATCH] Rustock backdoor SMTP service detection
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Thu, 19 Apr 2007 02:57:51 +0000
Developers, Attached is a patch against the latest svn nmap-service-probes file adding detection for a new variant of Rustock that opens a backdoor SMTP service on port 25. This particular variant is rather insidious and isn't yet (according to www.virustotal.com) detected by any AV. It produces output like so: PORT STATE SERVICE VERSION 25/tcp open smtp Rustock smtp backdoor (**BACKDOOR**) Service Info: OS: Windows This service doesn't provide much (unique) text to match on but it luckily responds to the Hello and Help probes. I'm fairly confident that this match will not falsely implicate any existing or future SMTP services. I wasn't sure if it was better to add the match line under the Hello or Help probe so I arbitrarily picked Hello. The match is the same for either so it can be moved in need-be. If one is better than the other for this match or if there are trade-offs/differences I'd like to hear about them (offlist?). Please let me know if there are any questions, Brandon -- Brandon Enright Network Security Analyst UCSD ACS/Network Operations bmenrigh () ucsd edu
Attachment:
rustock.patch
Description:
Attachment:
signature.asc
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [PATCH] Rustock backdoor SMTP service detection Brandon Enright (Apr 18)
- Re: [PATCH] Rustock backdoor SMTP service detection Fyodor (Apr 24)