Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Malware Payload Code detection

🗓️ 11 Apr 2008 00:00:00Reported by TenableType 
nessus
 nessus🔗 www.tenable.com👁 25 Views

Malware Payload Code detection indicating remote service is distributing malware payload of worm/trojan horse, check system integrity and disinfec

Refs
Code
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

# This script was written by Michel Arboi <[email protected]>
#
# Many thanks to <[email protected]> for his help!

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(31854);
  script_version("1.15");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_name(english:"Malware Payload Code detection");

  script_set_attribute(attribute:"synopsis", value:
"The remote service seems to be distributing the payload of malware
code.");
  script_set_attribute(attribute:"description", value:
"The remote port seems to be sending the payload of a malware.  This is
used by some worms when spreading by infecting other hosts. 

The system is probably infected by a worm or a Trojan horse.");
  script_set_attribute(attribute:"see_also", value:"https://en.wikipedia.org/wiki/Storm_worm#Botnetting");
  script_set_attribute(attribute:"solution", value:
"Check your system integrity and disinfect it.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");

  script_set_attribute(attribute:"plugin_publication_date", value:"2008/04/11");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"asset_inventory", value:"True");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Backdoors");

  script_copyright(english:"This script is Copyright (C) 2008-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("find_service1.nasl", "find_service2.nasl");
  script_exclude_keys("global_settings/disable_service_discovery");

  exit(0);
}

#

include("global_settings.inc");
include("misc_func.inc");

global_var payloads;
global_var sci;

sci = 0;
payloads[sci++] = 
'\x83\xec\x20\x8b\xec\x89\x5d\x04\x89\x7d\x00\x81\xec\x00\x02\x00\x00\x89\x65\x14\x33\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x78\x08\x89\x7d\x08\xe8\x45\x00\x00\x00\x53\x56\x8b\x5f\x3c\x8b\x5c\x3b\x78\x03\xdf\x53\x8b\x5b\x20\x03\xdf\x53\x83\xc3\x04\x8b\x33\x03\xf7\x33\xc9\xac\x32\xc8\xc1\xc1\x05\x84\xc0\x75\xf6\x2b\xca\x75\xe9\x58\x2b\xd8\xd1\xeb\x5e\x03\x5e\x24\x03\xdf\x66\x8b\x0b\x8b\x5e\x1c\x03\xdf\x8b\x04\x8b\x03\xc7\x5e\x5b\xff\xe0\x5e\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\xba\x92\x6e\x04\x84\xff\xd6\x89\x45\x0c\x8b\xf8\x53\x6a\x04\x55\xff\x75\x04\xba\x00\x90\x66\xe0\xff\xd6\x83\xf8\x04\x0f\x85\xc5\x00\x00\x00\x8b\x7d\x08\xe8\x0d\x00\x00\x00';
payloads[sci++] = '\x68\x33\x32\x00\x00\x68\x57\x53\x32\x5F\x57\xFC\xE8\x4C\x00\x00\x00\x60\x8B\x6C\x24\x28\x8B\x45\x3C\x8B\x7C\x05\x78\x01\xEF\x8B\x4F\x18\x8B\x5F\x20\x01\xEB\xE3\x30\x49\x8B\x34\x8B\x01\xEE\x31\xC0\x99\xAC\x84\xC0\x74\x07\xC1\xCA\x0D\x01\xC2\xEB\xF4\x3B\x54\x24\x24\x75\xE3\x8B\x5F\x24\x01\xEB\x66\x8B\x0C\x4B\x8B\x5F\x1C\x01\xEB\x03\x2C\x8B\x89\x6C\x24\x1C\x61\xC2\x08\x00\x6A\x30\x59\x64\x8B\x31\x8B\x76\x0C\x8B\x76\x1C\xAD\x8B\x58\x08\x5E\x53\x68\x8E\x4E\x0E\xEC\xFF\xD6\x97\x53\x56\x57\x8D\x44\x24\x10\x50\xFF\xD7\x50\x50\x50\x68\xB6\x19\x18\xE7\xFF\xD6\x97\x68\xA4\x19\x70\xE9\xFF\xD6\x95\x68\x08\x92\xE2\xED\xFF\xD6\x50\x57\x55\x83\xEC\x10\x89\xE5\x89\xEE\x6A\x01\x6A\x00\x6A\x0C\x89\xE1\x6A\x00\x51\x56\xAD\x56\x53\x68\x80\x8F\x0C\x17\xFF\x55\x20\x89\xC7\xFF\xD0\x89\xE0\x6A\x00\x50\x8D\x75\x08\x56\x8D\x75\x0C\x56\xFF\xD7\x68\x43\x4D\x44\x00\x89\xE2\x31\xC0\x8D\x7A\xAC\x6A\x15\x59\xF3\xAB\x83\xEC\x54\xC6\x42\xBC\x44\x66\xC7\x42\xE8\x01\x01\x8B\x75\x08\x89\x72\xFC\x89\x72\xF8\x8B\x75\x04\x89\x72\xF4\x8D\x42\xBC\x54\x50\x51\x51\x51\x41\x51\x49\x51\x51\x52\x51\x53\x68\x72\xFE\xB3\x16\xFF\x55\x20\xFF\xD0\x31\xC0\xB4\x04\x96\x29\xF4\x89\xE7\x6A\x64\x53\x68\xB0\x49\x2D\xDB\xFF\x55\x20\xFF\xD0\x31\xC0\x50\x57\x50\x50\x50\xFF\x75\x0C\x53\x68\x11\xC4\x07\xB4\xFF\x55\x20\xFF\xD0\x85\xC0\x74\x74\x31\xC0\x3B\x07\x74\x36\xE8\x77\x00\x00\x00\x50\x89\xE1\x50\x51\x56\x57\xFF\x75\x0C\x53\x68\x16\x65\xFA\x10\xFF\x55\x20\xFF\xD0\x85\xC0\x74\x50\x31\xC0\x59\x39\xC8\x74\x11\x50\x51\x57\xFF\x75\x28\xFF\x55\x10\x31\xC9\x39\xC8\x7C\x3A\xEB\xAB\x89\xE0\xE8\x3F\x00\x00\x00\x31\xC0\x50\x56\x57\xFF\x75\x28\xFF\x55\x14\x31\xC9\x39\xC8\x7C\x86\x74\x1E\x51\x89\xE2\x51\x52\x50\x57\xFF\x75\x00\x53\x68\x1F\x79\x0A\xE8\xFF\x55\x20\xFF\xD0\x85\xC0\x74\x05\x31\xC0\x59\xEB\xC8\x53\x68\xEF\xCE\xE0\x60\xFF\x55\x20\x31\xC9\x51\xFF\xD0\x50\x54\x68\x7E\x66\x04\x80\xFF\x75\x28\xFF\x55\x18\x85\xC0\x58\x75\xE0\xC3';
# Add more horrors here!

short_payload_idx = sci;

# Part of the 1st blob -- very common in shell codes
# @loop:
# ac           lodsb
# 32 c8        xor cl, al
# c1 c1 05     rol ecx, 5
# 84 c0        test al, al
# 75 f6        jnz @loop
payloads[sci++] = '\xac\x32\xc8\xc1\xc1\x05\x84\xc0\x75\xf6';
# 13 is also a common argument to rol
payloads[sci++] = '\xac\x32\xc8\xc1\xc1\x0d\x84\xc0\x75\xf6';
# Part of the 2nd blob
# AC                 lodsb
# 84 C0              test    al, al
# 74 07              jz      short loc_3E
# C1 CA 0D           ror     edx, 0Dh
# 01 C2              add     edx, eax
# EB F4              jmp     short loc_32
payloads[sci++] = '\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4';

function test(port, banner)
{
 local_var	sh;
 foreach sh (payloads)
  if (sh >< banner)
  {
    if (strlen(sh) < 13)
      security_hole(port:port, extra:'A short pattern was used, you might need to analyze the payload further.');
    else
      security_hole(port);
    register_service(port: port, proto: 'malware-payload'); 
    exit(0);
  }
}

if (get_kb_item("global_settings/disable_service_discovery")) exit(0);

port = get_unknown_svc();
if (! port) exit(0);


if ( thorough_tests )
	dontfetch = 0;
else
	dontfetch = 1;

banner = get_unknown_banner(port: port, dontfetch: dontfetch);

if (strlen(banner) > 0)
 test(port: port, banner: banner);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Apr 2022 00:00Current
5.5Medium risk
Vulners AI Score5.5
remote service distributionmalware payloadwormtrojan horsesystem integritydisinfection
25