FW: Nmap 4.85BETA6 now avail w/Conficker detection

Lisa Kachold lisakachold at obnosis.com
Wed Apr 1 16:27:58 MST 2009


News from Fyodor

> Date: Tue, 31 Mar 2009 17:04:29 -0700
> From: fyodor at insecure.org
> To: nmap-hackers at insecure.org
> Subject: Nmap 4.85BETA6 now avail w/Conficker detection
> 
> Hi Folks!  In case you missed all the news reports yesterday, a couple
> great researchers from the Honeynet Project (Tillmann Werner and Felix
> Leder) and Dan Kaminsky came up with a way to remotely detect the
> Conficker worm which has infected millions of machines worldwide.
> Some say 15,000,000 machines infected, but that might just be
> exaggerated AV-company BS for all I know.  But there are clearly
> millions of infections, and this massive botnet is scheduled for a new
> update cycle starting tomorrow.  Will this cause Internet doom?  No,
> but the bad guys might fix the mechanism that lets us remotely detect
> 'em.  Or they might engage in other mischief with their botnet.
> That's why we did the emergency releases--so you can scan for and
> remove them early!  During the process, I had to infect one of my
> systems with Conficker for testing, and Nmap even got booted from
> Dreamhost's "unlimited bandwidth" hosting because the downloads were
> taking too much bandwidth.  They said:
> 
>   "Sadly your file nmap-4.85BETA5-setup.exe, and a few similar, were
>    getting so many downloads on your machine, iceman, that it
>    saturated out the 100mbit connection on it, and cause everyone
>    else's sites to go down."
> 
> Dreamhost blocked further downloads, but we quickly switched to using
> our colocation provider and also got some mirroring help from Brandon
> Enright at UCSD!  So UCSD is hosting 4.85BETA6.  Of course I'd like to
> thank Ron Bowes who wrote the detection code (it is an update to his
> existing smb-check-vulns SMB script).  David Fifield was a huge help
> too.
> 
> An example Conficker scan command is:
> 
> nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnets]
> 
> A clean machine should report at the bottom: "Conficker: Likely
> Clean", while likely infected machines report "Conflicker: Likely
> INFECTED".  For more details and updates, see our announcement here:
> 
> http://insecure.org/
> 
> And of course to download Nmap 4.85BETA6, see:
> 
> http://nmap.org/download.html
> 
> Of course we have some other nice improvements besides Conficker
> detection.  Here are the changes since BETA4:
> 
> Nmap 4.85BETA6 [2009-03-31]
> 
> o Fixed some bugs with the Conficker detection script
>  (smb-check-vulns) [Ron]:
>  o SMB response timeout raised to 20s from 5s to compensate for
>    slow/overloaded systems and networks.
>  o MSRPC now only signs messages if OpenSSL is available (avoids an
>    error).
>  o Better error checking for MS08-067 patch
>  o Fixed forgotten endian-modifier (caused problems on big-endian
>    systems such as Solaris on SPARC).
> 
> o Host status messages (up/down) are now uniform between ping scanning
>   and port scanning and include more information. They used to vary
>   slightly, but now all look like
>     Host  is up (Xs latency).
>     Host  is down.
>   The new latency information is Nmap's estimate of the round trip
>   time. In addition, the reason for a host being up is now printed for
>   port scans just as for ping scans, with the --reason option. [David]
> 
> o Version detection now has a generic match line for SSLv3 servers,
>   which matches more servers than the already-existing set of specific
>   match lines. The match line found 13% more SSL servers in a test.
>   Note that Nmap will not be able to do SSL scan-through against a
>   small fraction of these servers, those that are SSLv3-only or
>   TLSv1-only, because that ability is not yet built into Nsock. There
>   is also a new version detection probe that works against SSLv2-only
>   servers. These have shown themselves to be very rare, so that probe
>   is not sent by default. Kristof Boeynaems provided the patch and did
>   the testing.
> 
> o [Zenmap] A typo that led to a crash if the ndiff subprocess
>   terminated with an error was fixed. [David] The message was
>     File "zenmapGUI\DiffCompare.pyo", line 331, in check_ndiff_process
>   UnboundLocalError: local variable 'error_test' referenced before assignment
> 
> o [Zenmap] A crash was fixed:
>       File "zenmapGUI\SearchGUI.pyo", line 582, in operator_changed
>     KeyError: "Syst\xc3\xa8me d'Exploitation"
>   The text could be different, because the error was caused by
>   translating a string that was also being used as an index into an
>   internal data structure. The string will be untranslated until that
>   part of the code can be rewritten. [David]
> 
> o [Zenmap] A bug was fixed that caused a crash when doing a keyword:
>   or target: search over hosts that had a MAC address. [David] 
>   The crash output was
>       File "zenmapCore\SearchResult.pyo", line 86, in match_keyword
>       File "zenmapCore\SearchResult.pyo", line 183, in match_target
>     TypeError: argument of type 'NoneType' is not iterable
> 
> o Fixed a bug which prevented all comma-separated --script arguments
>   from being shown in Nmap normal and XML output files where they show
>   the original Nmap command. [David]
> 
> o Fixed ping scanner's runtime statistics system so that instead of
>   saying "0 undergoing Ping Scan" it gives the actual number of hosts in
>   the group (e.g. 4096). [David]
> 
> o [Zenmap] A crash was fixed in displaying the "Error creating the
>   per-user configuration directory" dialog:
>       File "zenmap", line 104, in 
>       File "zenmapGUI\App.pyo", line 129, in run
>     UnicodeDecodeError: 'utf8' codec can't decode bytes in position 43-45:
>                         invalid data
>   The crash would only happen to users with paths containing
>   multibyte characters in a non-UTF-8 locale, who also had some error
>   preventing the creation of the directory. [David]
> 
> Nmap 4.85BETA5 [2009-03-30]
> 
> o Ron (in just a few hours of furious coding) added remote detection
>   of the Conficker worm to smb-check-vulns. It is based on new
>   research by Tillmann Werner and Felix Leder.  You can scan your
>   network for Conficker with a command like: nmap -PN -T4 -p139,445 -n
>   -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
> 
> o Ndiff now includes service (version detection) and OS detection
>   differences. [David]
> 
> o [Ncat] The --exec and --sh-exec options now work in UDP mode like
>   they do in TCP mode: the server handles multiple concurrent clients
>   and doesn't have to be restarted after each one. Marius Sturm
>   provided the patch.
> 
> o [Ncat] The -v option (used alone) no longer floods the screen with
>   debugging messages. With just -v, we now only print the most
>   important status messages such as "Connected to ...", a startup
>   banner, and error messages.  At -vv, minor debugging messages are
>   enabled, such as what command is being executed by --sh-exec.  With
>   -vvv you get detailed debugging messages. [David]
> 
> o [Ncat] Chat mode now lets other participants know when someone
>   connects or disconnects, and it also broadcasts a current list of
>   participants at such times. [David]
> 
> o [Ncat] Fixed a socket handling bug which could occur when you
>   redirect Ncat stdin, such as "ncat -l --chat < /dev/null".  The next
>   user to connect would end up with file descriptor 0 (which is
>   normally stdin) and thus confuse Ncat. [David]
> 
> o [Zenmap] The "Scan Output" expanders in the diff window now behave
>   more naturally. Some strange behavior on Windows was noted by Jah.
>   [David]
> 
> o The following OS detection tests are no longer included in OS
>   fingerprints: U1.RUL, U1.TOS, IE.DLI, IE.SI, and IE.TOSI. URL, DLI,
>   and SI were found not be helpful in distinguishing operating systems
>   because they didn't vary. TOS and TOSI were disabled in 4.85BETA1
>   but now they are not included in prints at all. [David]
> 
> o The compile-time Nmap ASCII dragon is now more ferocious thanks to
>   better teeth alignment. [David]
> 
> o Version 4.85BETA4 had a bug in the implementation of the new SEQ.CI
>   test that could cause a closed-port IP ID to be written into the
>   array for the SEQ.TI test and cause erroneous results. The bug was
>   found and fixed by Guillaume Prigent.
> 
> o Nbase has grown routines for calculating Adler32 and CRC32C
>   checksums. This is needed for future SCTP support. [Daniel
>   Roethlisberger]
> 
> o [Zenmap] Zenmap no longer shows an error message when running Nmap
>   with options that cause a zero-length XML file to be produced (like
>   --iflist). [David]
> 
> o Fixed an off-by-one error in printableSize() which could cause Nmap
>   to crash while reporting NSE results. Also, NmapOutputTable's memory
>   allocation strategy was improved to conserve memory. [Brandon,
>   Patrick]
> 
> o [Zenmap] We now give the --force option to setup.py for installation
>   to ensure that it replaces all files. [David]
> 
> o Nmap's --packet-trace, --version-trace, and --script-trace now use
>   an Nsock trace level of 2 rather than 5.  This removes some
>   superfluous lines which can flood the screen. [David]
> 
> o [Zenmap] Fixed a crash which could occur when loading the help URL
>    if the path contains multibyte characters. [David]
> 
> o [Ncat] The version number is now matched to the Nmap release it came
>   with rather than always being 0.2. [David]
> 
> o Fixed a strtok issue between load_exclude and
>   TargetGroup::parse_expr that caused only the first exclude on
>   a line to be loaded as well as an invalid read into free()'d
>   memory in load_exclude(). [Brandon, David]
> 
> o NSE's garbage collection system (for cleaning up sockets from
>   completed threads, etc.) has been improved. [Patrick]
> 
> 
> Enjoy the new release and disenfect those systems!
> -Fyodor
> _______________________________________________
> Sent through the nmap-hackers mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-hackers
> Archived at http://seclists.org

Obnosis | (503)754-4452




PLUG Linux Security Labs 2nd Saturday Each Month at Noon - 3PM







_________________________________________________________________
Quick access to your favorite MSN content and Windows Live with Internet Explorer 8. 
http://ie8.msn.com/microsoft/internet-explorer-8/en-us/ie8.aspx?ocid=B037MSN55C0701A
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090401/704aca6a/attachment.htm 


More information about the PLUG-discuss mailing list