Matchline for 'Arucer' backdoor

[Ron <ron () skullsecurity net>]

You might have heard the fiasco with the backdoor being deployed with batteries today:
http://www.kb.cert.org/vuls/id/154421

I wrote a matchline for it here:

##############################NEXT PROBE##############################
# Arucer backdoor
# http://www.kb.cert.org/vuls/id/154421
Probe TCP Arucer 
q|\xC2\xE5\xE5\xE5\x9E\xA0\xD7\xA4\xA6\xD0\xD5\xDD\xDC\xC8\xD6\xDD\xD7\xD5\xC8\xD1\xD6\x83\x80\xC8\xDD\xA4\xD1\xA1\xC8\xA4\xD2\xD5\xD7\xDD\xA3\xA4\xA1\xDD\xA6\xD7\xDD\x98\xE5|
rarity 8
ports 7777

match arucer m|\xbc\xa0\xb6| p/Arucer backdoor/


I reverse engineered the executable (which I can provide, if necessary) to come up with that line. It's basically a 
ping -- I send it a static command (it's a UUID that requests a 'ping', basically), encoded by XOR'ing it with 0xE5. 
Its response is simply 'YES', also encoded by xor'ing with 0xE5.

I haven't written a match before, but this has one minor issue -- the service itself is finicky, so sending data OTHER 
than that probe sometimes kills it either temporarily or permanently. I'm not sure what the best way to prevent other 
matchlines from running is. 

Other than that, I think it's ready to go. Because of the timing (this was revealed this weekend), I'd like to get this 
out. 

-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/