Re: Anybody doing Stuxnet detection?

[Ron <ron () skullsecurity net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 18 Nov 2010 10:07:45 -0600 Mak Kolybabi <mak () kolybabi com> wrote:
> On 2010-11-17 09:04, Ron wrote:
> > Somebody posted this to Twitter a few minutes ago:
> >
> > @jdmurray
> > I wonder why Nmap hasn't yet included Stuxnet detection:
> > http://bit.ly/ctsIbh
> >
> > Would be a great script, but I don't have time this month.
>
> I'm trying to write a script for this.
Cool, let me know if you need anything. I have an infected VM I can share. 

All you really have to do to detect its presence is call smb.bind() with the proper uuid. No error = infected. 

Something that might be interesting is opcode 4 or 5 (I forget which), which takes no arguments downloads a .exe 
version of the malware. It'd be an interesting way to collect samples from 'the wild'. Probably completely useless, and 
I'd default it to 'off', but it'd be neat. :)

Ron
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkzluZ4ACgkQ2t2zxlt4g/R6BACfXhGKFBGL11U4fWQCqz6GAbv5
iKMAnAuOs3IMBVstYUydli3ph6AHvbxZ
=w83D
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/