Nmap Development mailing list archives
Re: Matchline for 'Arucer' backdoor
From: Ron <ron () skullsecurity net>
Date: Mon, 8 Mar 2010 12:24:09 -0600
I worked with David and cleaned this up a bit. I just committed it in r16950. The final line we went with is: ##############################NEXT PROBE############################## # Arucer backdoor # http://www.kb.cert.org/vuls/id/154421 # The probe is the UUID for the 'YES' command, which is basically a ping command, encoded by XORing with 0xE5 (the original string is "E2AC5089-3820-43fe-8A4D-A7028FAD8C28"). The response is the string 'YES', encoded the same way. Probe TCP Arucer q|\xC2\xE5\xE5\xE5\x9E\xA0\xD7\xA4\xA6\xD0\xD5\xDD\xDC\xC8\xD6\xDD\xD7\xD5\xC8\xD1\xD6\x83\x80\xC8\xDD\xA4\xD1\xA1\xC8\xA4\xD2\xD5\xD7\xDD\xA3\xA4\xA1\xDD\xA6\xD7\xDD\x98\xE5| rarity 8 ports 7777 match arucer m|^\xbc\xa0\xb6$| p/Arucer backdoor/ o/Windows/ i/**BACKDOOR**/ On Mon, 8 Mar 2010 11:56:48 -0600 Ron <ron () skullsecurity net> wrote:
You might have heard the fiasco with the backdoor being deployed with batteries today: http://www.kb.cert.org/vuls/id/154421 I wrote a matchline for it here: ##############################NEXT PROBE############################## # Arucer backdoor # http://www.kb.cert.org/vuls/id/154421 Probe TCP Arucer q|\xC2\xE5\xE5\xE5\x9E\xA0\xD7\xA4\xA6\xD0\xD5\xDD \xDC\xC8\xD6\xDD\xD7\xD5\xC8\xD1\xD6\x83\x80\xC8\xDD\xA4\xD1\xA1\xC8 \xA4\xD2\xD5\xD7\xDD\xA3\xA4\xA1\xDD\xA6\xD7\xDD\x98\xE5| rarity 8 ports 7777 match arucer m|\xbc\xa0\xb6| p/Arucer backdoor/ I reverse engineered the executable (which I can provide, if necessary) to come up with that line. It's basically a ping -- I send it a static command (it's a UUID that requests a 'ping', basically), encoded by XOR'ing it with 0xE5. Its response is simply 'YES', also encoded by xor'ing with 0xE5. I haven't written a match before, but this has one minor issue -- the service itself is finicky, so sending data OTHER than that probe sometimes kills it either temporarily or permanently. I'm not sure what the best way to prevent other matchlines from running is. Other than that, I think it's ready to go. Because of the timing (this was revealed this weekend), I'd like to get this out. -- Ron Bowes http://www.skullsecurity.org http://www.twitter.com/iagox86 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
-- Ron Bowes http://www.skullsecurity.org http://www.twitter.com/iagox86 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Matchline for 'Arucer' backdoor Ron (Mar 08)
- Re: Matchline for 'Arucer' backdoor Ron (Mar 08)