Taking Apart the Energizer Trojan

iago-vL writes "Researchers at SkullSecurity have written a tutorial on how they reverse engineered the Energizer Trojan and generated an Nmap probe to remotely detect infections. The Energizer Trojan is a great educational tool because its inner workings are very simplistic, and it makes minimal efforts to hide itself or conceal its purpose; it even lists what appears to be the author's name — 'liuhong' — in the source! The article provides an introduction to malware analysis, from infecting a test machine to debugging and disassembling the Trojan to writing the actual probe."

Multi-page article

[LostCluster]

I tried to RTFA, but it keeps going and going and going.

Re:

[Wowsers]

Maybe you're thinking of the wrong brand?

Re:

[LostCluster]

No, I'm mocking the Energizer Bunny campaign of ads a robotic bunny left the set of its own ad and started interrupting other ads for fictional products.

Re:

[causality]

No...no, I would call a crappy ancient ad campaign that successfully implanted itself into the internal consciousness of a weak-minded Slashdot poster.

That's how I feel about practically every pop-culture reference that is ever posted to Slashdot. The less relevant to the discussion the reference is, the more this is so.

Re:Multi-page article

[maxume]

It must suck to have to start disliking stuff just because some plebs found out about it.

Re:

[causality]

It must suck to have to start disliking stuff just because some plebs found out about it.

I appreciate your accusation of allowing the crowd to determine my tastes, and I'm not surprised the mods rewarded you for taking the low-hanging fruit of going that route. But in truth I can like a thing and not like constant irrelevant (or barely-relevant) references to it. The map is not the territory; if I think the map is shoddy, it is not the same thing as refusing to set foot on the territory.

Re:

[Nazlfrag]

You're just lucky you have that bunny burned into your psyche. I'm stuck with Jacko. [youtube.com] *shudder*

Re:

[electrons_are_brave]

Thanks a lot, I had repressed that till now.

Re:

[electrons_are_brave]

Oh damn you to hell! Suddenly "I'm an individual! An inder-bloody-vidual" is going round and round my head. @#$%!! http://www.youtube.com/watch?v=g0Q5JFHrGNk [youtube.com]

Re:Multi-page article

[Anonymous Coward]

He accurately recalls something he hasn't seen for years and this makes him weak-minded? Is this because you do not find the information valuable? Is the definition of a strong mind then only one that stores what you believe one should store? Perhaps you could publish a paper describing the sorts of things we should be memorizing to strengthen our minds.

Re:Multi-page article

[t0p]

Jeeze, you're mean! The Energizer Bunny is not the product of a "crappy ancient ad campaign"... the creature's a freaking icon! And although I can't remember the exact ad where the rabbit escapes its own ad to invade others, there have been plenty of others featuring the creature. I saw one just the other day. And it seems to me that Energizer Bunny ads have been run since forever! Well, I can't remember a time BEB (Before Energizer Bunny) so that means the thing's been around for at least 20 years! I haven't checked the fount of all human knowledge [wikipedia.org] yet, but I'm sure it will confirm my beliefs.

Go anywhere in the world, find someone who watches commercial TV with any sort of regularity and show him a picture of the Bunny - I'll bet you 1000-1 he'll know who it is. That creature isn't just an icon - it's up there with Mickey Mouse, Jesus Christ and Coca Cola. Get down on your knees and beg the Bunny-God for forgiveness!

Re:

[t0p]

Well, I can't remember a time BEB (Before Energizer Bunny) so that means the thing's been around for at least 20 years! I haven't checked the fount of all human knowledge [wikipedia.org] yet, but I'm sure it will confirm my beliefs.

From the fount of all human knowledge [wikipedia.org]:

The Energizer Bunny is the marketing icon and mascot of Energizer batteries in North America. It is a pink toy rabbit wearing sunglasses and blue and white striped sandals that beats a bass drum bearing the Energizer logo. It is a parody of the preexistent Duracell Bunny, seen in Europe and Australia. It has been appearing in television commercials in North America since 1989.

Actually I think the very first battery bunny ad I can remember is the Duracell guy with the drum. But that's irrelevant - it's the Energizer Bunny who's the daddy now!

Re:

[Hylandr]

I would *SO* Buy a crate of Energizer condoms...

- Dan.

Re:Multi-page article

[socsoc]

Like you have a use for condoms, Dan.

Re:

[electrons_are_brave]

Wow - right up till I checked with Wikipedia, I though you were all talking about the Duracell Bunny http://en.wikipedia.org/wiki/Duracell_Bunny [wikipedia.org] I hadn't realised that there was an Energizer Bunny, or maybe I just hadn't spotted that there were two different bunny species advertising two different batteries.

Maybe we didn't get the EB in Australia because the DB predated it?

Re:

[electrons_are_brave]

I've checked - Duracell Bunny was born 1973, the EB was born 1989. EB was born in a parody ad of the DB commercial.

Re:

[Runaway1956]

Actually, the Energizer Bunny commercials are some of the greatest commercials ever produced. They rank right up there with the Pace Picante Sauce commercials. "Get a rope!"

And, this from a guy who watches little television, and absolutely HATES marketing of any kind. Both were truly amusing series of commercials, that lasted for years, and must have actually affected shopping habits, or they wouldn't have lasted so long.

Re:

[neltana]

Maybe you're thinking of the wrong brand?

No, I'm mocking the Energizer Bunny campaign of ads a robotic bunny left the set of its own ad and started interrupting other ads for fictional products.

Whether you recognize the Duracell Bunny or the Energizer Bunny as a simple of everlasting battery life depends on where you are from. In Europe and Australia, Duracell has trademarked the use, in the U.S., Energizer did (they were the jonny-come-lately).

Did I just BLOW YOU MIND!

Re:

[neltana]

Symbol...a symbol of everlasting battery life...not simple.

Darn you "typing the wrong word"! You get me every time!

Re:

[xonar]

Maybe you're thinking of the wrong brand?

No, I'm mocking the Energizer Bunny campaign of ads a robotic bunny left the set of its own ad and started interrupting other ads for fictional products.

Whether you recognize the Duracell Bunny or the Energizer Bunny as a simple of everlasting battery life depends on where you are from. In Europe and Australia, Duracell has trademarked the use, in the U.S., Energizer did (they were the jonny-come-lately).

Did I just BLOW YOU MIND!

YOU BLEW ME MIND MAN

Re:

[jrumney]

But the Duracell Bunny doesn't "keep going and going and ...", that's always been Energizer's catchphrase, bunny or idiotic bodybuilder.

Re:

[electrons_are_brave]

No, but they do "keep on keeping on".

Here is the original (1973) Duracell Bunny ad: http://www.youtube.com/watch?v=FNAKgApo72U&feature=related [youtube.com] and the original EB ad: http://www.youtube.com/watch?v=qiFQsxGUQOI&feature=related [youtube.com]

Re:

[DeadDecoy]

I tried to RTFA, but slashdot killed the bunny.

Extra strength Darnitol

[tepples]

Darn it all... [youtube.com]

Re:Multi-page article

[iago-vL]

Haha, I hadn't even thought of that!

I originally wrote it as a single page, but 60 images + that much text was too much, so I broke it into 4 pages. For what it's worth, I don't have any ads or anything so it's not like I'm profiting from it.

Re:

[RegTooLate]

Your article is excellent, thanks for the information.

Connection refused

[The MAZZTer]

Don't worry, it looks like it's stopped now.

Re:

[kimvette]

Well when you f*** like rabbits you're bound to get a few infections now and then.

How About A Little Restraint?

[WrongSizeGlass]

Any reason they felt it necessary to use 'Trojan' and 'probe in the summary? Don't they know this is /. and it's going to generate a lot of immature posts (like this one)

Re:

[blair1q]

There've been a few bait-titled posts like this the past week.

They're softening us up for 4/1.

Re:

[AvitarX]

I thought OMG ponies was good.

Noooo!

[Ezekiel68]

Please don't do that. Those are the best condoms I've ever tried!

FOOLS!

[oldhack]

it even lists what appears to be the author's name -- 'liuhong' -- in the source!

That's what liuhong wants you to think!

Now if only...

[Manip]

Next challenge write an NMap probe that can defend them from this furious slashdotting that has thrown their site offline.

PS - I realise that makes no sense. But it sounds better than memcache filter or hammer control.

slashdotted. text-only googlecache.

[Anonymous Coward]

page 1: http://74.125.95.132/search?q=cache:http://www.skullsecurity.org/blog/%3Fp%3D627&hl=en&sa=G&strip=1 [74.125.95.132]
page 2: http://74.125.95.132/search?q=cache:http://www.skullsecurity.org/blog/%3Fp%3D645&hl=en&sa=G&strip=1 [74.125.95.132]
page 3: http://74.125.95.132/search?q=cache:http://www.skullsecurity.org/blog/%3Fp%3D647&hl=en&sa=G&strip=1 [74.125.95.132]
page 4: http://74.125.95.132/search?q=cache:http://www.skullsecurity.org/blog/%3Fp%3D649&hl=en&sa=G&strip=1 [74.125.95.132]

Shortage of malware to study?

[jjoelc]

The summary makes it sound like there is a shortage of malware for students to study... Maybe it is because of all the linux boxes in the academic labs??

Re:

[FlyingBishop]

Oh, they can study it, but can they study it safely? A worm, even in a firewalled virtual worm farm, is not something to be trifled with.

Well, and I mean you need to set up a firewalled virtual worm farm. This thing could conceivably be studied on an ordinary box without too much worry. Though a purpose-built VM is of course ideal.

Re:

[benthurston27]

It's sort of like how doctor's show the immune system a less dangerous version of a virus for it to study (as a vaccine). The students study this trojan so they can recognize the real thing.

In related news...

[gmuslera]

... a metalic robot disguised as human is going door by door killing all the Liu Gongs on the phone guide of Pekin. There is only one John Connor, but countless bunnies in the future.

Obfuscation.

[bigattichouse]

So the question is - is there buried obfiscated code - wow, look how open this is, hiding more malicious stuff in slightly more complex layers

Woman's fantasy

[ianare]

Energizer and trojans combined : a woman's dreams come true.

Re:

[jrumney]

Maybe she wants to share with her friends who don't have enough Energizers.

Re:

[Greyfox]

Electrified for her pleasure? Ever put a 9 volt battery on your tongue? I don't think anyone wants that near their junk...

Re:

[Anonymous Coward]

Believe it or not some people get off on it. I bought one for the wife a while back.

http://en.wikipedia.org/wiki/Violet_wand [wikipedia.org]

Posted anonymously in my freaky corner.

New Nmap 5.30BETA1 Release

[fv]

We just today released Nmap 5.30BETA1 [seclists.org], which contains the version detection signature described in this post for detecting the Energizer trojan. It also includes a detection and exploitation script for a major Mac OS X vulnerability [cqure.net] which Nmap developer Patrik Karlsson found last month and Apple finally patched this morning. There are about 100 other changes as well, including 37 new NSE scripts [nmap.org]. You can download it free here [nmap.org].

Pardon the Nmap promotion, but it seemed on-topic for the story.