[Openvas-commits] r12563 - in trunk/openvas-plugins: . scripts scripts/nmap_nse
scm-commit at wald.intevation.org
scm-commit at wald.intevation.org
Wed Feb 1 14:39:18 CET 2012
Author: hdoreau
Date: 2012-02-01 14:39:16 +0100 (Wed, 01 Feb 2012)
New Revision: 12563
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/conficker.nasl
trunk/openvas-plugins/scripts/nmap_nse/gb_nmap_p2p_conficker.nasl
trunk/openvas-plugins/scripts/nmap_nse/gb_nmap_smb_check_vulns.nasl
Log:
* scripts/nmap_nse/gb_nmap_p2p_conficker.nasl,
scripts/nmap_nse/gb_nmap_smb_check_vulns.nasl: Store results into KB
if target seems infected.
* scripts/conficker.nasl: Reports results from NSE when already
available.
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2012-02-01 13:22:20 UTC (rev 12562)
+++ trunk/openvas-plugins/ChangeLog 2012-02-01 13:39:16 UTC (rev 12563)
@@ -1,3 +1,12 @@
+2012-02-01 Henri Doreau <henri.doreau at greenbone.net>
+
+ * scripts/nmap_nse/gb_nmap_p2p_conficker.nasl,
+ scripts/nmap_nse/gb_nmap_smb_check_vulns.nasl: Store results into KB
+ if target seems infected.
+
+ * scripts/conficker.nasl: Reports results from NSE when already
+ available.
+
2012-02-01 Antu Sanadi <santu at secpod.com>
* scripts/gb_fedora_2011_16284_krb5_fc15.nasl,
Modified: trunk/openvas-plugins/scripts/conficker.nasl
===================================================================
--- trunk/openvas-plugins/scripts/conficker.nasl 2012-02-01 13:22:20 UTC (rev 12562)
+++ trunk/openvas-plugins/scripts/conficker.nasl 2012-02-01 13:39:16 UTC (rev 12563)
@@ -28,6 +28,50 @@
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
+desc = "
+Overview: This host seems to be contaminated with infectious Conficker Worm.
+
+Vulnerability Insight:
+Conficker is a worm that spreads on Windows Platforms. This malware could
+spread Windows file shares protected with weak passwords or to which a
+logged on domain administrator has access, by copying itself to removable
+storage devices and by exploiting the MS08-067 Windows Server service
+vulnerability.
+
+This malware generates infections files to set up to run as a service and
+also using a random name when Windows starts under system32, and tries to
+modify permissions on the service registry entries so that they are not
+visible to the user. Such registry entries are under,
+'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost' and
+'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RANDOM_SERVICE_NAME'
+
+The plugin determines Conficker variants B or C. It likeley works against systems
+that allow anonymous login, otherwise Credentials can be supplied.
+
+Impact: Successful exploitation could allow remote attackers to take complete
+control of an affected system and capable of stealing all kind of sensitive
+information and can even spread accross the Network.
+
+Impact Level: System/Network.
+
+Affected Software/OS:
+Microsoft Windows 2K Service Pack 4 and prior.
+Microsoft Windows XP Service Pack 3 and prior.
+Microsoft Windows 2003 Service Pack 2 and prior.
+
+Fix: Run Windows Update and update the listed hotfixes or download
+and update mentioned hotfixes in the advisory from the below link,
+http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
+ and
+Use Conficker Removal Tools, or Known Security Products to remove
+conficker worm.
+
+References:
+http://www.dshield.org/diary.html?storyid=5860
+http://www.anti-spyware-101.com/remove-conficker
+http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
+http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx";
+
if(description)
{
script_id(900091);
@@ -44,52 +88,9 @@
script_family("Malware");
script_name("Conficker Detection");
script_summary("Check for Conficker worm infected system");
- desc = "
- Overview: This host seems to be contaminated with infectious Conficker Worm.
-
- Vulnerability Insight:
- Conficker is a worm that spreads on Windows Platforms. This malware could
- spread Windows file shares protected with weak passwords or to which a
- logged on domain administrator has access, by copying itself to removable
- storage devices and by exploiting the MS08-067 Windows Server service
- vulnerability.
-
- This malware generates infections files to set up to run as a service and
- also using a random name when Windows starts under system32, and tries to
- modify permissions on the service registry entries so that they are not
- visible to the user. Such registry entries are under,
- 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost' and
- 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RANDOM_SERVICE_NAME'
-
- The plugin determines Conficker variants B or C. It likeley works against systems
- that allow anonymous login, otherwise Credentials can be supplied.
-
- Impact: Successful exploitation could allow remote attackers to take complete
- control of an affected system and capable of stealing all kind of sensitive
- information and can even spread accross the Network.
-
- Impact Level: System/Network.
-
- Affected Software/OS:
- Microsoft Windows 2K Service Pack 4 and prior.
- Microsoft Windows XP Service Pack 3 and prior.
- Microsoft Windows 2003 Service Pack 2 and prior.
-
- Fix: Run Windows Update and update the listed hotfixes or download
- and update mentioned hotfixes in the advisory from the below link,
- http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
- and
- Use Conficker Removal Tools, or Known Security Products to remove
- conficker worm.
-
- References:
- http://www.dshield.org/diary.html?storyid=5860
- http://www.anti-spyware-101.com/remove-conficker
- http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
- http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx";
-
script_description(desc);
- script_dependencies("secpod_reg_enum.nasl");
+ script_dependencies("secpod_reg_enum.nasl", "nmap_nse/gb_nmap_p2p_conficker.nasl",
+ "nmap_nse/gb_nmap_smb_check_vulns.nasl");
script_require_ports(139, 445);
exit(0);
}
@@ -97,6 +98,20 @@
include("smb_nt.inc");
+
+# First of all check whether nmap already detected an infection.
+res = get_kb_list("conficker/nse");
+if (!isnull(res)) {
+ report = 'Nmap (http://nmap.org) has detected a possible infection:\n';
+
+ foreach msg (res) {
+ report += msg + '\n';
+ }
+ report += '\n\n' + desc;
+ security_hole(data:report);
+ exit(0);
+}
+
name = kb_smb_name();
login = kb_smb_login();
pass = kb_smb_password();
Modified: trunk/openvas-plugins/scripts/nmap_nse/gb_nmap_p2p_conficker.nasl
===================================================================
--- trunk/openvas-plugins/scripts/nmap_nse/gb_nmap_p2p_conficker.nasl 2012-02-01 13:22:20 UTC (rev 12562)
+++ trunk/openvas-plugins/scripts/nmap_nse/gb_nmap_p2p_conficker.nasl 2012-02-01 13:39:16 UTC (rev 12563)
@@ -87,7 +87,7 @@
port = 445;
}
-argv = make_list("nmap", "--script=p2p-conficker.nse", "-p", port,
+argv = make_list("nmap", "-vv", "--script=p2p-conficker.nse", "-p", port,
get_host_ip());
## Get the preferences
@@ -171,6 +171,9 @@
msg = string('Result found by Nmap Security Scanner (p2p-conficker.nse) ',
'http://nmap.org:\n\n', result);
security_note(data : msg, port:port);
+
+ if ("INFECTED" >< result)
+ set_kb_item(name:"conficker/nse", value:result);
}
}
else
Modified: trunk/openvas-plugins/scripts/nmap_nse/gb_nmap_smb_check_vulns.nasl
===================================================================
--- trunk/openvas-plugins/scripts/nmap_nse/gb_nmap_smb_check_vulns.nasl 2012-02-01 13:22:20 UTC (rev 12562)
+++ trunk/openvas-plugins/scripts/nmap_nse/gb_nmap_smb_check_vulns.nasl 2012-02-01 13:39:16 UTC (rev 12563)
@@ -168,6 +168,9 @@
msg = string('Result found by Nmap Security Scanner (smb-check-vulns.nse) ',
'http://nmap.org:\n\n', result);
security_note(data : msg, port:port);
+
+ if ("INFECTED" >< result)
+ set_kb_item(name:"conficker/nse", value:result);
}
}
else
More information about the Openvas-commits
mailing list