Sunday, March 22, 2009

Satori, Linux version

Ok, been busy working on a command line version of Satori for Linux. There are certain functionality in the cmd line version that I will not try to replicate that are in the windows version. Since I'm just doing output to screen an overall score and some of the other things, such as ICMP sequence differences will not be there.

So far I've ported the DHCP, TCP, p0f and ettercap stuff over.

It is written in free pascal (fpc) with the lazarus IDE. Ultimately my goal is to get as much of it over to Linux as possible and most likely to rewrite the whole thing in fpc so that I can have a GUI version on both windows and linux.

Main reason I'm writing it for Linux is so I can play with it on the wall-warts I wrote about a few weeks ago. Assuming I have some extra cash I'll probably be ordering one in the near future. This will require me to compile it for ARM also, hopefully all goes well!

If anyone wants a copy, let me know.

Tuesday, March 17, 2009

Trojan.Flush.M and DHCP

Symantec has a nice writeup on this, it is a few months old, but a new variant appears to be running around now.

Now from an identification prospective, DHCP fingerprinting comes in quite nicely here! I was able to get someone to send me a packet capture of DHCP Offers and ACKs from an infected machine on the latest variant. I'd like to get a few others also, but have not had a chance to look into it much due to other projects and work.

I'll be adding the fingerprint into the dhcp.xml file here shortly, assuming time permits. If anyone has packet captures from other variants of this trojan, or others that are doing dhcp offers/acks, please email them to me.