Nmap Development mailing list archives
Re: Anybody doing Stuxnet detection?
From: Ron <ron () skullsecurity net>
Date: Thu, 18 Nov 2010 17:41:18 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 18 Nov 2010 10:07:45 -0600 Mak Kolybabi <mak () kolybabi com> wrote:
On 2010-11-17 09:04, Ron wrote:Somebody posted this to Twitter a few minutes ago: @jdmurray I wonder why Nmap hasn't yet included Stuxnet detection: http://bit.ly/ctsIbh Would be a great script, but I don't have time this month.I'm trying to write a script for this.
Cool, let me know if you need anything. I have an infected VM I can share. All you really have to do to detect its presence is call smb.bind() with the proper uuid. No error = infected. Something that might be interesting is opcode 4 or 5 (I forget which), which takes no arguments downloads a .exe version of the malware. It'd be an interesting way to collect samples from 'the wild'. Probably completely useless, and I'd default it to 'off', but it'd be neat. :) Ron -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkzluZ4ACgkQ2t2zxlt4g/R6BACfXhGKFBGL11U4fWQCqz6GAbv5 iKMAnAuOs3IMBVstYUydli3ph6AHvbxZ =w83D -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Anybody doing Stuxnet detection? Ron (Nov 17)
- Re: Anybody doing Stuxnet detection? Mak Kolybabi (Nov 18)
- Re: Anybody doing Stuxnet detection? Ron (Nov 18)
- [NSE] Stuxnet detection Mak Kolybabi (Dec 06)
- Re: [NSE] Stuxnet detection Mak Kolybabi (Dec 10)
- Re: [NSE] Stuxnet detection Mak Kolybabi (Dec 10)
- Re: [NSE] Stuxnet detection David Fifield (Dec 12)
- Re: Anybody doing Stuxnet detection? Mak Kolybabi (Nov 18)