Re: Matchline for 'Arucer' backdoor

[Ron <ron () skullsecurity net>]

I worked with David and cleaned this up a bit. I just committed it in r16950. The final line we went with is:


##############################NEXT PROBE##############################
# Arucer backdoor
# http://www.kb.cert.org/vuls/id/154421
# The probe is the UUID for the 'YES' command, which is basically a ping command, encoded by XORing with 0xE5 (the 
original string is "E2AC5089-3820-43fe-8A4D-A7028FAD8C28"). The response is the string 'YES', encoded the same way.
Probe TCP Arucer 
q|\xC2\xE5\xE5\xE5\x9E\xA0\xD7\xA4\xA6\xD0\xD5\xDD\xDC\xC8\xD6\xDD\xD7\xD5\xC8\xD1\xD6\x83\x80\xC8\xDD\xA4\xD1\xA1\xC8\xA4\xD2\xD5\xD7\xDD\xA3\xA4\xA1\xDD\xA6\xD7\xDD\x98\xE5|
rarity 8
ports 7777

match arucer m|^\xbc\xa0\xb6$| p/Arucer backdoor/ o/Windows/ i/**BACKDOOR**/



On Mon, 8 Mar 2010 11:56:48 -0600 Ron <ron () skullsecurity net> wrote:
> You might have heard the fiasco with the backdoor being deployed with
> batteries today: http://www.kb.cert.org/vuls/id/154421
>
> I wrote a matchline for it here:
>
> ##############################NEXT PROBE##############################
> # Arucer backdoor
> # http://www.kb.cert.org/vuls/id/154421
> Probe TCP Arucer q|\xC2\xE5\xE5\xE5\x9E\xA0\xD7\xA4\xA6\xD0\xD5\xDD
> \xDC\xC8\xD6\xDD\xD7\xD5\xC8\xD1\xD6\x83\x80\xC8\xDD\xA4\xD1\xA1\xC8
> \xA4\xD2\xD5\xD7\xDD\xA3\xA4\xA1\xDD\xA6\xD7\xDD\x98\xE5| rarity 8
> ports 7777
>
> match arucer m|\xbc\xa0\xb6| p/Arucer backdoor/
>
>
> I reverse engineered the executable (which I can provide, if
> necessary) to come up with that line. It's basically a ping -- I send
> it a static command (it's a UUID that requests a 'ping', basically),
> encoded by XOR'ing it with 0xE5. Its response is simply 'YES', also
> encoded by xor'ing with 0xE5.
>
> I haven't written a match before, but this has one minor issue -- the
> service itself is finicky, so sending data OTHER than that probe
> sometimes kills it either temporarily or permanently. I'm not sure
> what the best way to prevent other matchlines from running is. 
>
> Other than that, I think it's ready to go. Because of the timing
> (this was revealed this weekend), I'd like to get this out. 
>
> -- 
> Ron Bowes
> http://www.skullsecurity.org
> http://www.twitter.com/iagox86
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/


-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/