Nmap Development mailing list archives
Re: Latest dist v5.2
From: Fyodor <fyodor () insecure org>
Date: Wed, 27 Jan 2010 16:16:11 -0800
On Wed, Jan 27, 2010 at 05:51:02PM -0600, Ron wrote:
Hey, sorry I missed this earlier. I only read part of the email (*facepalm*). I just experimented with replacing the first byte (the 'M') with something else, that that passed virustotal.com with 0 hits. Pre-pending a NULL-byte to the .exe also works (as I'm sure you know, because somebody else already checked earlier today :) ). Anybody want to make a call on which to use? Or both? Or should we go with the "include it separately" idea after all?
Hi Ron. I'm worried about doing another very light obfuscation, since that backfired on us last time. Even if it doesn't trigger an alert now, it might in the future if some malware coincidentally uses the same technique. So I'd suggest either: 1) The "nuke it from orbit" approach, where we just use OpenSSL to encrypt the whole @#$#@ file with some symmetric algorithm and a fixed key. This would require that the user have an OpenSSL-enabled Nmap to use it, but I imagine that the vast majority of Nmap installs have OpenSSL these days. Or I suppose we could do a double-obfuscation of prepending a NUL *and* doing a word-width XOR or a stream XOR against a generated sequence. We might want to remove the .exe extension too. 2) Or we could just ask the user to download the file from some fixed URL when they try to use psexec (like Ron has suggested). I'm happy to host it at http://nmap.org/psexec/nmap_service.exe or wherever. Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Latest dist v5.2, (continued)
- Re: Latest dist v5.2 Fyodor (Jan 21)
- Re: Latest dist v5.2 Tom Sellers (Jan 21)
- Re: Latest dist v5.2 Ron (Jan 23)
- Re: Latest dist v5.2 David Fifield (Jan 25)
- Re: Latest dist v5.2 Ron (Jan 25)
- Re: Latest dist v5.2 David Fifield (Jan 26)
- Re: Latest dist v5.2 Ron (Jan 26)
- Re: Latest dist v5.2 Fyodor (Jan 27)
- Re: Latest dist v5.2 Brandon Enright (Jan 27)
- Re: Latest dist v5.2 Ron (Jan 27)
- Re: Latest dist v5.2 Fyodor (Jan 27)
- Re: Latest dist v5.2 Ron (Jan 27)
- Re: Latest dist v5.2 Jonathan R (Jan 27)
- Re: Latest dist v5.2 Ron (Jan 28)
- Re: Latest dist v5.2 Fyodor (Jan 28)
- Re: Latest dist v5.2 David Fifield (Jan 25)
- Re: Latest dist v5.2 Ron (Jan 27)
- Re: Latest dist v5.2 Brandon Enright (Jan 27)
- Re: Latest dist v5.2 Brandon Enright (Jan 27)