[PATCH] Rustock backdoor SMTP service detection

[Brandon Enright <bmenrigh () ucsd edu>]

Developers,

Attached is a patch against the latest svn nmap-service-probes file adding
detection for a new variant of Rustock that opens a backdoor SMTP service
on port 25. This particular variant is rather insidious and isn't yet
(according to www.virustotal.com) detected by any AV.

It produces output like so:

PORT   STATE SERVICE VERSION
25/tcp open  smtp    Rustock smtp backdoor (**BACKDOOR**)
Service Info: OS: Windows

This service doesn't provide much (unique) text to match on but it luckily
responds to the Hello and Help probes.  I'm fairly confident that this
match will not falsely implicate any existing or future SMTP services.

I wasn't sure if it was better to add the match line under the Hello or
Help probe so I arbitrarily picked Hello.  The match is the same for either
so it can be moved in need-be.  If one is better than the other for this
match or if there are trade-offs/differences I'd like to hear about them
(offlist?).

Please let me know if there are any questions,

Brandon

-- 
Brandon Enright
Network Security Analyst
UCSD ACS/Network Operations
bmenrigh () ucsd edu

Attachment: rustock.patch
Description:

Attachment: signature.asc
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org