[Openvas-commits] r12563 - in trunk/openvas-plugins: . scripts scripts/nmap_nse

scm-commit at wald.intevation.org scm-commit at wald.intevation.org
Wed Feb 1 14:39:18 CET 2012


Author: hdoreau
Date: 2012-02-01 14:39:16 +0100 (Wed, 01 Feb 2012)
New Revision: 12563

Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/conficker.nasl
   trunk/openvas-plugins/scripts/nmap_nse/gb_nmap_p2p_conficker.nasl
   trunk/openvas-plugins/scripts/nmap_nse/gb_nmap_smb_check_vulns.nasl
Log:
* scripts/nmap_nse/gb_nmap_p2p_conficker.nasl,
scripts/nmap_nse/gb_nmap_smb_check_vulns.nasl: Store results into KB
if target seems infected.

* scripts/conficker.nasl: Reports results from NSE when already
available.


Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2012-02-01 13:22:20 UTC (rev 12562)
+++ trunk/openvas-plugins/ChangeLog	2012-02-01 13:39:16 UTC (rev 12563)
@@ -1,3 +1,12 @@
+2012-02-01  Henri Doreau <henri.doreau at greenbone.net>
+
+	* scripts/nmap_nse/gb_nmap_p2p_conficker.nasl,
+	scripts/nmap_nse/gb_nmap_smb_check_vulns.nasl: Store results into KB
+	if target seems infected.
+
+	* scripts/conficker.nasl: Reports results from NSE when already
+	available.
+
 2012-02-01  Antu Sanadi <santu at secpod.com>
 
 	* scripts/gb_fedora_2011_16284_krb5_fc15.nasl,

Modified: trunk/openvas-plugins/scripts/conficker.nasl
===================================================================
--- trunk/openvas-plugins/scripts/conficker.nasl	2012-02-01 13:22:20 UTC (rev 12562)
+++ trunk/openvas-plugins/scripts/conficker.nasl	2012-02-01 13:39:16 UTC (rev 12563)
@@ -28,6 +28,50 @@
 # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 ###############################################################################
 
+desc = "
+Overview: This host seems to be contaminated with infectious Conficker Worm.
+
+Vulnerability Insight:
+Conficker is a worm that spreads on Windows Platforms. This malware could
+spread Windows file shares protected with weak passwords or to which a
+logged on domain administrator has access, by copying itself to removable
+storage devices and by exploiting the MS08-067 Windows Server service
+vulnerability.
+
+This malware generates infections files to set up to run as a service and
+also using a random name when Windows starts under system32, and tries to
+modify permissions on the service registry entries so that they are not
+visible to the user. Such registry entries are under,
+'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost' and
+'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RANDOM_SERVICE_NAME'
+
+The plugin determines Conficker variants B or C. It likeley works against systems
+that allow anonymous login, otherwise Credentials can be supplied.
+
+Impact: Successful exploitation could allow remote attackers to take complete
+control of an affected system and capable of stealing all kind of sensitive
+information and can even spread accross the Network.
+
+Impact Level: System/Network.
+
+Affected Software/OS:
+Microsoft Windows 2K Service Pack 4 and prior.
+Microsoft Windows XP Service Pack 3 and prior.
+Microsoft Windows 2003 Service Pack 2 and prior.
+
+Fix: Run Windows Update and update the listed hotfixes or download
+and update mentioned hotfixes in the advisory from the below link,
+http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
+      and
+Use Conficker Removal Tools, or Known Security Products to remove
+conficker worm.
+
+References:
+http://www.dshield.org/diary.html?storyid=5860
+http://www.anti-spyware-101.com/remove-conficker
+http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
+http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx";
+
 if(description)
 {
   script_id(900091);
@@ -44,52 +88,9 @@
   script_family("Malware");
   script_name("Conficker Detection");
   script_summary("Check for Conficker worm infected system");
-  desc = "
-  Overview: This host seems to be contaminated with infectious Conficker Worm.
-
-  Vulnerability Insight:
-  Conficker is a worm that spreads on Windows Platforms. This malware could
-  spread Windows file shares protected with weak passwords or to which a
-  logged on domain administrator has access, by copying itself to removable
-  storage devices and by exploiting the MS08-067 Windows Server service
-  vulnerability.
-
-  This malware generates infections files to set up to run as a service and
-  also using a random name when Windows starts under system32, and tries to
-  modify permissions on the service registry entries so that they are not
-  visible to the user. Such registry entries are under,
-  'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost' and
-  'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RANDOM_SERVICE_NAME'
-
-  The plugin determines Conficker variants B or C. It likeley works against systems
-  that allow anonymous login, otherwise Credentials can be supplied.
-
-  Impact: Successful exploitation could allow remote attackers to take complete
-  control of an affected system and capable of stealing all kind of sensitive
-  information and can even spread accross the Network.
-
-  Impact Level: System/Network.
-
-  Affected Software/OS:
-  Microsoft Windows 2K Service Pack 4 and prior.
-  Microsoft Windows XP Service Pack 3 and prior.
-  Microsoft Windows 2003 Service Pack 2 and prior.
-
-  Fix: Run Windows Update and update the listed hotfixes or download
-  and update mentioned hotfixes in the advisory from the below link,
-  http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
-        and
-  Use Conficker Removal Tools, or Known Security Products to remove
-  conficker worm.
-
-  References:
-  http://www.dshield.org/diary.html?storyid=5860
-  http://www.anti-spyware-101.com/remove-conficker
-  http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
-  http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx";
-
   script_description(desc);
-  script_dependencies("secpod_reg_enum.nasl");
+  script_dependencies("secpod_reg_enum.nasl", "nmap_nse/gb_nmap_p2p_conficker.nasl",
+                      "nmap_nse/gb_nmap_smb_check_vulns.nasl");
   script_require_ports(139, 445);
   exit(0);
 }
@@ -97,6 +98,20 @@
 
 include("smb_nt.inc");
 
+
+# First of all check whether nmap already detected an infection.
+res = get_kb_list("conficker/nse");
+if (!isnull(res)) {
+    report = 'Nmap (http://nmap.org) has detected a possible infection:\n';
+
+    foreach msg (res) {
+        report += msg + '\n';
+    }
+    report += '\n\n' + desc;
+    security_hole(data:report);
+    exit(0);
+}
+
 name = kb_smb_name();
 login = kb_smb_login();
 pass  = kb_smb_password();

Modified: trunk/openvas-plugins/scripts/nmap_nse/gb_nmap_p2p_conficker.nasl
===================================================================
--- trunk/openvas-plugins/scripts/nmap_nse/gb_nmap_p2p_conficker.nasl	2012-02-01 13:22:20 UTC (rev 12562)
+++ trunk/openvas-plugins/scripts/nmap_nse/gb_nmap_p2p_conficker.nasl	2012-02-01 13:39:16 UTC (rev 12563)
@@ -87,7 +87,7 @@
   port = 445;
 }
 
-argv = make_list("nmap", "--script=p2p-conficker.nse", "-p", port,
+argv = make_list("nmap", "-vv", "--script=p2p-conficker.nse", "-p", port,
                   get_host_ip());
 
 ## Get the preferences
@@ -171,6 +171,9 @@
     msg = string('Result found by Nmap Security Scanner (p2p-conficker.nse) ',
                 'http://nmap.org:\n\n', result);
     security_note(data : msg, port:port);
+
+    if ("INFECTED" >< result)
+      set_kb_item(name:"conficker/nse", value:result);
   }
 }
 else

Modified: trunk/openvas-plugins/scripts/nmap_nse/gb_nmap_smb_check_vulns.nasl
===================================================================
--- trunk/openvas-plugins/scripts/nmap_nse/gb_nmap_smb_check_vulns.nasl	2012-02-01 13:22:20 UTC (rev 12562)
+++ trunk/openvas-plugins/scripts/nmap_nse/gb_nmap_smb_check_vulns.nasl	2012-02-01 13:39:16 UTC (rev 12563)
@@ -168,6 +168,9 @@
     msg = string('Result found by Nmap Security Scanner (smb-check-vulns.nse) ',
                 'http://nmap.org:\n\n', result);
     security_note(data : msg, port:port);
+
+    if ("INFECTED" >< result)
+      set_kb_item(name:"conficker/nse", value:result);
   }
 }
 else



More information about the Openvas-commits mailing list