Re: Latest dist v5.2

[Fyodor <fyodor () insecure org>]

On Wed, Jan 27, 2010 at 05:51:02PM -0600, Ron wrote:
> Hey, sorry I missed this earlier. I only read part of the email (*facepalm*). 
>
> I just experimented with replacing the first byte (the 'M') with something else, that that passed virustotal.com with 
> 0 hits. Pre-pending a NULL-byte to the .exe also works (as I'm sure you know, because somebody else already checked 
> earlier today :) ). 
>
> Anybody want to make a call on which to use? Or both? Or should we go with the "include it separately" idea after all?

Hi Ron.  I'm worried about doing another very light obfuscation, since
that backfired on us last time.  Even if it doesn't trigger an alert
now, it might in the future if some malware coincidentally uses the
same technique.  So I'd suggest either:

1) The "nuke it from orbit" approach, where we just use OpenSSL to
encrypt the whole @#$#@ file with some symmetric algorithm and a fixed
key.  This would require that the user have an OpenSSL-enabled Nmap to
use it, but I imagine that the vast majority of Nmap installs have
OpenSSL these days.  Or I suppose we could do a double-obfuscation of
prepending a NUL *and* doing a word-width XOR or a stream XOR against
a generated sequence.  We might want to remove the .exe extension too.

2) Or we could just ask the user to download the file from some fixed
URL when they try to use psexec (like Ron has suggested). I'm happy to
host it at http://nmap.org/psexec/nmap_service.exe or wherever.

Cheers,
-F
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/