News from Fyodor
> Date: Tue, 31 Mar 2009 17:04:29 -0700
> From: fyodor@insecure.org
> To: nmap-hackers@insecure.org
> Subject: Nmap 4.85BETA6 now avail w/Conficker detection
>
> Hi Folks! In case you missed all the news reports yesterday, a couple
> great researchers from the Honeynet Project (Tillmann Werner and Felix
> Leder) and Dan Kaminsky came up with a way to remotely detect the
> Conficker worm which has infected millions of machines worldwide.
> Some say 15,000,000 machines infected, but that might just be
> exaggerated AV-company BS for all I know. But there are clearly
> millions of infections, and this massive botnet is scheduled for a new
> update cycle starting tomorrow. Will this cause Internet doom? No,
> but the bad guys might fix the mechanism that lets us remotely detect
> 'em. Or they might engage in other mischief with their botnet.
> That's why we did the emergency releases--so you can scan for and
> remove them early! During the process, I had to infect one of my
> systems with Conficker for testing, and Nmap even got booted from
> Dreamhost's "unlimited bandwidth" hosting because the downloads were
> taking too much bandwidth. They said:
>
> "Sadly your file nmap-4.85BETA5-setup.exe, and a few similar, were
> getting so many downloads on your machine, iceman, that it
> saturated out the 100mbit connection on it, and cause everyone
> else's sites to go down."
>
> Dreamhost blocked further downloads, but we quickly switched to using
> our colocation provider and also got some mirroring help from Brandon
> Enright at UCSD! So UCSD is hosting 4.85BETA6. Of course I'd like to
> thank Ron Bowes who wrote the detection code (it is an update to his
> existing smb-check-vulns SMB script). David Fifield was a huge help
> too.
>
> An example Conficker scan command is:
>
> nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnets]
>
> A clean machine should report at the bottom: "Conficker: Likely
> Clean", while likely infected machines report "Conflicker: Likely
> INFECTED". For more details and updates, see our announcement here:
>
> http://insecure.org/
>
> And of course to download Nmap 4.85BETA6, see:
>
> http://nmap.org/download.html
>
> Of course we have some other nice improvements besides Conficker
> detection. Here are the changes since BETA4:
>
> Nmap 4.85BETA6 [2009-03-31]
>
> o Fixed some bugs with the Conficker detection script
> (smb-check-vulns) [Ron]:
> o SMB response timeout raised to 20s from 5s to compensate for
> slow/overloaded systems and networks.
> o MSRPC now only signs messages if OpenSSL is available (avoids an
> error).
> o Better error checking for MS08-067 patch
> o Fixed forgotten endian-modifier (caused problems on big-endian
> systems such as Solaris on SPARC).
>
> o Host status messages (up/down) are now uniform between ping scanning
> and port scanning and include more information. They used to vary
> slightly, but now all look like
> Host is up (Xs latency).
> Host is down.
> The new latency information is Nmap's estimate of the round trip
> time. In addition, the reason for a host being up is now printed for
> port scans just as for ping scans, with the --reason option. [David]
>
> o Version detection now has a generic match line for SSLv3 servers,
> which matches more servers than the already-existing set of specific
> match lines. The match line found 13% more SSL servers in a test.
> Note that Nmap will not be able to do SSL scan-through against a
> small fraction of these servers, those that are SSLv3-only or
> TLSv1-only, because that ability is not yet built into Nsock. There
> is also a new version detection probe that works against SSLv2-only
> servers. These have shown themselves to be very rare, so that probe
> is not sent by default. Kristof Boeynaems provided the patch and did
> the testing.
>
> o [Zenmap] A typo that led to a crash if the ndiff subprocess
> terminated with an error was fixed. [David] The message was
> File "zenmapGUI\DiffCompare.pyo", line 331, in check_ndiff_process
> UnboundLocalError: local variable 'error_test' referenced before assignment
>
> o [Zenmap] A crash was fixed:
> File "zenmapGUI\SearchGUI.pyo", line 582, in operator_changed
> KeyError: "Syst\xc3\xa8me d'Exploitation"
> The text could be different, because the error was caused by
> translating a string that was also being used as an index into an
> internal data structure. The string will be untranslated until that
> part of the code can be rewritten. [David]
>
> o [Zenmap] A bug was fixed that caused a crash when doing a keyword:
> or target: search over hosts that had a MAC address. [David]
> The crash output was
> File "zenmapCore\SearchResult.pyo", line 86, in match_keyword
> File "zenmapCore\SearchResult.pyo", line 183, in match_target
> TypeError: argument of type 'NoneType' is not iterable
>
> o Fixed a bug which prevented all comma-separated --script arguments
> from being shown in Nmap normal and XML output files where they show
> the original Nmap command. [David]
>
> o Fixed ping scanner's runtime statistics system so that instead of
> saying "0 undergoing Ping Scan" it gives the actual number of hosts in
> the group (e.g. 4096). [David]
>
> o [Zenmap] A crash was fixed in displaying the "Error creating the
> per-user configuration directory" dialog:
> File "zenmap", line 104, in
> File "zenmapGUI\App.pyo", line 129, in run
> UnicodeDecodeError: 'utf8' codec can't decode bytes in position 43-45:
> invalid data
> The crash would only happen to users with paths containing
> multibyte characters in a non-UTF-8 locale, who also had some error
> preventing the creation of the directory. [David]
>
> Nmap 4.85BETA5 [2009-03-30]
>
> o Ron (in just a few hours of furious coding) added remote detection
> of the Conficker worm to smb-check-vulns. It is based on new
> research by Tillmann Werner and Felix Leder. You can scan your
> network for Conficker with a command like: nmap -PN -T4 -p139,445 -n
> -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
>
> o Ndiff now includes service (version detection) and OS detection
> differences. [David]
>
> o [Ncat] The --exec and --sh-exec options now work in UDP mode like
> they do in TCP mode: the server handles multiple concurrent clients
> and doesn't have to be restarted after each one. Marius Sturm
> provided the patch.
>
> o [Ncat] The -v option (used alone) no longer floods the screen with
> debugging messages. With just -v, we now only print the most
> important status messages such as "Connected to ...", a startup
> banner, and error messages. At -vv, minor debugging messages are
> enabled, such as what command is being executed by --sh-exec. With
> -vvv you get detailed debugging messages. [David]
>
> o [Ncat] Chat mode now lets other participants know when someone
> connects or disconnects, and it also broadcasts a current list of
> participants at such times. [David]
>
> o [Ncat] Fixed a socket handling bug which could occur when you
> redirect Ncat stdin, such as "ncat -l --chat < /dev/null". The next
> user to connect would end up with file descriptor 0 (which is
> normally stdin) and thus confuse Ncat. [David]
>
> o [Zenmap] The "Scan Output" expanders in the diff window now behave
> more naturally. Some strange behavior on Windows was noted by Jah.
> [David]
>
> o The following OS detection tests are no longer included in OS
> fingerprints: U1.RUL, U1.TOS, IE.DLI, IE.SI, and IE.TOSI. URL, DLI,
> and SI were found not be helpful in distinguishing operating systems
> because they didn't vary. TOS and TOSI were disabled in 4.85BETA1
> but now they are not included in prints at all. [David]
>
> o The compile-time Nmap ASCII dragon is now more ferocious thanks to
> better teeth alignment. [David]
>
> o Version 4.85BETA4 had a bug in the implementation of the new SEQ.CI
> test that could cause a closed-port IP ID to be written into the
> array for the SEQ.TI test and cause erroneous results. The bug was
> found and fixed by Guillaume Prigent.
>
> o Nbase has grown routines for calculating Adler32 and CRC32C
> checksums. This is needed for future SCTP support. [Daniel
> Roethlisberger]
>
> o [Zenmap] Zenmap no longer shows an error message when running Nmap
> with options that cause a zero-length XML file to be produced (like
> --iflist). [David]
>
> o Fixed an off-by-one error in printableSize() which could cause Nmap
> to crash while reporting NSE results. Also, NmapOutputTable's memory
> allocation strategy was improved to conserve memory. [Brandon,
> Patrick]
>
> o [Zenmap] We now give the --force option to setup.py for installation
> to ensure that it replaces all files. [David]
>
> o Nmap's --packet-trace, --version-trace, and --script-trace now use
> an Nsock trace level of 2 rather than 5. This removes some
> superfluous lines which can flood the screen. [David]
>
> o [Zenmap] Fixed a crash which could occur when loading the help URL
> if the path contains multibyte characters. [David]
>
> o [Ncat] The version number is now matched to the Nmap release it came
> with rather than always being 0.2. [David]
>
> o Fixed a strtok issue between load_exclude and
> TargetGroup::parse_expr that caused only the first exclude on
> a line to be loaded as well as an invalid read into free()'d
> memory in load_exclude(). [Brandon, David]
>
> o NSE's garbage collection system (for cleaning up sockets from
> completed threads, etc.) has been improved. [Patrick]
>
>
> Enjoy the new release and disenfect those systems!
> -Fyodor
> _______________________________________________
> Sent through the nmap-hackers mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-hackers
> Archived at http://seclists.org
Obnosis | (503)754-4452
PLUG Linux Security Labs 2nd Saturday Each Month@Noon - 3PM
Quick access to your favorite MSN content and Windows Live with Internet Explorer 8. Download FREE now!