Nmap Development mailing list archives

Re: Latest dist v5.2

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 27 Jan 2010 23:35:14 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 27 Jan 2010 17:32:40 -0600
Ron <ron () skullsecurity net> wrote:

On Wed, 27 Jan 2010 14:18:00 -0800
Fyodor <fyodor () insecure org> wrote:

We should have tested :(.  Now I'm getting reports that
nmap_services.exe triggers Panda Antivirus W32/Xor-encoded.A:

http://www.cloudantivirus.com/en/threat-information/Xor-encoded.A/194318/

VirusTotal finds that as well:

http://www.virustotal.com/analisis/5938478eb7195e53ba408b6fc390b35f2ccff6e68b761da4a5dfab97f3164a9c-1264630143

-F

Aww damn, sorry! That really sucks... 

It looks like Panda detects xor'ing by any byte. That's sort of
clever, but also irritating. I tried 0xFF, 0x01, and 0x13. I'm
assuming it happens for everything.  

Any other suggestions on how to encode it in a simple way without
triggering a/v signatures?



Hi Ron, did you not see my email on this?  I sent it like 15 min ago.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAktgzbIACgkQqaGPzAsl94LidwCeKI0n+uQv4VXAb9D1aM3ht7MH
TkgAoJ81qoEjDRLsdow1AnG/tkQ8dsP7
=8OqH
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: Latest dist v5.2, (continued)
- - - Re: Latest dist v5.2 Ron (Jan 26)
    - Re: Latest dist v5.2 Fyodor (Jan 27)
    - Re: Latest dist v5.2 Brandon Enright (Jan 27)
    - Re: Latest dist v5.2 Ron (Jan 27)
    - Re: Latest dist v5.2 Fyodor (Jan 27)
    - Re: Latest dist v5.2 Ron (Jan 27)
    - Re: Latest dist v5.2 Jonathan R (Jan 27)
    - Re: Latest dist v5.2 Ron (Jan 28)
    - Re: Latest dist v5.2 Fyodor (Jan 28)
    - Re: Latest dist v5.2 Ron (Jan 27)
    - Re: Latest dist v5.2 Brandon Enright (Jan 27)
    - Re: Latest dist v5.2 Brandon Enright (Jan 27)