Slashdot Mirror

← Back to Stories (view on slashdot.org)

Taking Apart the Energizer Trojan

Posted by Soulskill on from the dissecting-the-pink-rabbit dept.

iago-vL writes "Researchers at SkullSecurity have written a tutorial on how they reverse engineered the Energizer Trojan and generated an Nmap probe to remotely detect infections. The Energizer Trojan is a great educational tool because its inner workings are very simplistic, and it makes minimal efforts to hide itself or conceal its purpose; it even lists what appears to be the author's name — 'liuhong' — in the source! The article provides an introduction to malware analysis, from infecting a test machine to debugging and disassembling the Trojan to writing the actual probe."

55 comments

  1. Multi-page article by LostCluster · · Score: 3, Funny

    I tried to RTFA, but it keeps going and going and going.

    1. Re:Multi-page article by Wowsers · · Score: 2, Funny

      Maybe you're thinking of the wrong brand?

      --
      Take Nobody's Word For It.
    2. Re:Multi-page article by DeadDecoy · · Score: 1

      I tried to RTFA, but slashdot killed the bunny.

    3. Re:Multi-page article by LostCluster · · Score: 1

      No, I'm mocking the Energizer Bunny campaign of ads a robotic bunny left the set of its own ad and started interrupting other ads for fictional products.

    4. Re:Multi-page article by iago-vL · · Score: 5, Informative

      Haha, I hadn't even thought of that!

      I originally wrote it as a single page, but 60 images + that much text was too much, so I broke it into 4 pages. For what it's worth, I don't have any ads or anything so it's not like I'm profiting from it.

      --
      http://www.skullsecurity.org/blog/
    5. Re:Multi-page article by causality · · Score: 1

      No...no, I would call a crappy ancient ad campaign that successfully implanted itself into the internal consciousness of a weak-minded Slashdot poster.

      That's how I feel about practically every pop-culture reference that is ever posted to Slashdot. The less relevant to the discussion the reference is, the more this is so.

      --
      It is a miracle that curiosity survives formal education. - Einstein
    6. Re:Multi-page article by Anonymous Coward · · Score: 5, Insightful

      He accurately recalls something he hasn't seen for years and this makes him weak-minded? Is this because you do not find the information valuable? Is the definition of a strong mind then only one that stores what you believe one should store? Perhaps you could publish a paper describing the sorts of things we should be memorizing to strengthen our minds.

    7. Re:Multi-page article by maxume · · Score: 5, Insightful

      It must suck to have to start disliking stuff just because some plebs found out about it.

      --
      Nerd rage is the funniest rage.
    8. Re:Multi-page article by t0p · · Score: 4, Funny

      Jeeze, you're mean! The Energizer Bunny is not the product of a "crappy ancient ad campaign"... the creature's a freaking icon! And although I can't remember the exact ad where the rabbit escapes its own ad to invade others, there have been plenty of others featuring the creature. I saw one just the other day. And it seems to me that Energizer Bunny ads have been run since forever! Well, I can't remember a time BEB (Before Energizer Bunny) so that means the thing's been around for at least 20 years! I haven't checked the fount of all human knowledge yet, but I'm sure it will confirm my beliefs.

      Go anywhere in the world, find someone who watches commercial TV with any sort of regularity and show him a picture of the Bunny - I'll bet you 1000-1 he'll know who it is. That creature isn't just an icon - it's up there with Mickey Mouse, Jesus Christ and Coca Cola. Get down on your knees and beg the Bunny-God for forgiveness!

      --
      http://ihatehate.wordpress.com
    9. Re:Multi-page article by t0p · · Score: 2, Informative

      Well, I can't remember a time BEB (Before Energizer Bunny) so that means the thing's been around for at least 20 years! I haven't checked the fount of all human knowledge yet, but I'm sure it will confirm my beliefs.

      From the fount of all human knowledge:

      The Energizer Bunny is the marketing icon and mascot of Energizer batteries in North America. It is a pink toy rabbit wearing sunglasses and blue and white striped sandals that beats a bass drum bearing the Energizer logo. It is a parody of the preexistent Duracell Bunny, seen in Europe and Australia. It has been appearing in television commercials in North America since 1989.

      Actually I think the very first battery bunny ad I can remember is the Duracell guy with the drum. But that's irrelevant - it's the Energizer Bunny who's the daddy now!

      --
      http://ihatehate.wordpress.com
    10. Re:Multi-page article by neltana · · Score: 3, Informative

      Maybe you're thinking of the wrong brand?

      No, I'm mocking the Energizer Bunny campaign of ads a robotic bunny left the set of its own ad and started interrupting other ads for fictional products.

      Whether you recognize the Duracell Bunny or the Energizer Bunny as a simple of everlasting battery life depends on where you are from. In Europe and Australia, Duracell has trademarked the use, in the U.S., Energizer did (they were the jonny-come-lately).

      Did I just BLOW YOU MIND!

    11. Re:Multi-page article by neltana · · Score: 1

      Symbol...a symbol of everlasting battery life...not simple.

      Darn you "typing the wrong word"! You get me every time!

    12. Re:Multi-page article by Hylandr · · Score: 1

      I would *SO* Buy a crate of Energizer condoms...

      - Dan.

      --
      ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
    13. Re:Multi-page article by xonar · · Score: 2, Informative

      Maybe you're thinking of the wrong brand?

      No, I'm mocking the Energizer Bunny campaign of ads a robotic bunny left the set of its own ad and started interrupting other ads for fictional products.

      Whether you recognize the Duracell Bunny or the Energizer Bunny as a simple of everlasting battery life depends on where you are from. In Europe and Australia, Duracell has trademarked the use, in the U.S., Energizer did (they were the jonny-come-lately).

      Did I just BLOW YOU MIND!

      YOU BLEW ME MIND MAN

    14. Re:Multi-page article by socsoc · · Score: 3, Funny

      Like you have a use for condoms, Dan.

    15. Re:Multi-page article by Runaway1956 · · Score: 1

      Actually, the Energizer Bunny commercials are some of the greatest commercials ever produced. They rank right up there with the Pace Picante Sauce commercials. "Get a rope!"

      And, this from a guy who watches little television, and absolutely HATES marketing of any kind. Both were truly amusing series of commercials, that lasted for years, and must have actually affected shopping habits, or they wouldn't have lasted so long.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    16. Re:Multi-page article by RegTooLate · · Score: 1

      Your article is excellent, thanks for the information.

    17. Re:Multi-page article by jrumney · · Score: 1

      But the Duracell Bunny doesn't "keep going and going and ...", that's always been Energizer's catchphrase, bunny or idiotic bodybuilder.

    18. Re:Multi-page article by Anonymous Coward · · Score: 0

      Well, I must admit defeating Darth Vader was fairly awesome for a fluffy pink bunny.

    19. Re:Multi-page article by Nazlfrag · · Score: 1

      You're just lucky you have that bunny burned into your psyche. I'm stuck with Jacko. *shudder*

    20. Re:Multi-page article by electrons_are_brave · · Score: 1

      Thanks a lot, I had repressed that till now.

    21. Re:Multi-page article by electrons_are_brave · · Score: 1

      Wow - right up till I checked with Wikipedia, I though you were all talking about the Duracell Bunny http://en.wikipedia.org/wiki/Duracell_Bunny I hadn't realised that there was an Energizer Bunny, or maybe I just hadn't spotted that there were two different bunny species advertising two different batteries.

      Maybe we didn't get the EB in Australia because the DB predated it?

    22. Re:Multi-page article by electrons_are_brave · · Score: 1

      I've checked - Duracell Bunny was born 1973, the EB was born 1989. EB was born in a parody ad of the DB commercial.

    23. Re:Multi-page article by electrons_are_brave · · Score: 1

      No, but they do "keep on keeping on".

      Here is the original (1973) Duracell Bunny ad: http://www.youtube.com/watch?v=FNAKgApo72U&feature=related and the original EB ad: http://www.youtube.com/watch?v=qiFQsxGUQOI&feature=related

    24. Re:Multi-page article by kimvette · · Score: 2, Funny

      Well when you f*** like rabbits you're bound to get a few infections now and then.

      --
      The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
    25. Re:Multi-page article by electrons_are_brave · · Score: 1

      Oh damn you to hell! Suddenly "I'm an individual! An inder-bloody-vidual" is going round and round my head. @#$%!! http://www.youtube.com/watch?v=g0Q5JFHrGNk

    26. Re:Multi-page article by Anonymous Coward · · Score: 0

      Definitely not going to read TFA.

    27. Re:Multi-page article by causality · · Score: 1

      It must suck to have to start disliking stuff just because some plebs found out about it.

      I appreciate your accusation of allowing the crowd to determine my tastes, and I'm not surprised the mods rewarded you for taking the low-hanging fruit of going that route. But in truth I can like a thing and not like constant irrelevant (or barely-relevant) references to it. The map is not the territory; if I think the map is shoddy, it is not the same thing as refusing to set foot on the territory.

      --
      It is a miracle that curiosity survives formal education. - Einstein
  2. How About A Little Restraint? by WrongSizeGlass · · Score: 2, Funny

    Any reason they felt it necessary to use 'Trojan' and 'probe in the summary? Don't they know this is /. and it's going to generate a lot of immature posts (like this one)

    1. Re:How About A Little Restraint? by blair1q · · Score: 2, Insightful

      There've been a few bait-titled posts like this the past week.

      They're softening us up for 4/1.

    2. Re:How About A Little Restraint? by Anonymous Coward · · Score: 0

      There've been a few bait-titled posts like this the past week.

      They're softening us up for 4/1.

      Damn. I'm still trying to recover from OMG PONIES from several years back. I'd like to think that The Editors would do something genuinely funny/original/witty for 4/1 (even doing NOTHING would be acceptable). Alas, I'm not holding my breath.

    3. Re:How About A Little Restraint? by AvitarX · · Score: 1

      I thought OMG ponies was good.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
  3. Noooo! by Ezekiel68 · · Score: 1

    Please don't do that. Those are the best condoms I've ever tried!

    --
    Imagination is more important than knowledge -Einstien
  4. FOOLS! by oldhack · · Score: 3, Funny

    it even lists what appears to be the author's name -- 'liuhong' -- in the source!

    That's what liuhong wants you to think!

    --
    Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
  5. Now if only... by Manip · · Score: 1

    Next challenge write an NMap probe that can defend them from this furious slashdotting that has thrown their site offline.

    PS - I realise that makes no sense. But it sounds better than memcache filter or hammer control.

    1. Re:Now if only... by Anonymous Coward · · Score: 0

      I dunno how this sounds to many folks out there in /. land, but why not view the cached page via Google/Bing/etc? At least you'd be able to view it without having to crash some poor guy's site...

  6. slashdotted. text-only googlecache. by Anonymous Coward · · Score: 5, Informative

    page 1: http://74.125.95.132/search?q=cache:http://www.skullsecurity.org/blog/%3Fp%3D627&hl=en&sa=G&strip=1
    page 2: http://74.125.95.132/search?q=cache:http://www.skullsecurity.org/blog/%3Fp%3D645&hl=en&sa=G&strip=1
    page 3: http://74.125.95.132/search?q=cache:http://www.skullsecurity.org/blog/%3Fp%3D647&hl=en&sa=G&strip=1
    page 4: http://74.125.95.132/search?q=cache:http://www.skullsecurity.org/blog/%3Fp%3D649&hl=en&sa=G&strip=1

  7. Shortage of malware to study? by jjoelc · · Score: 3, Funny

    The summary makes it sound like there is a shortage of malware for students to study... Maybe it is because of all the linux boxes in the academic labs??

    1. Re:Shortage of malware to study? by FlyingBishop · · Score: 1

      Oh, they can study it, but can they study it safely? A worm, even in a firewalled virtual worm farm, is not something to be trifled with.

      Well, and I mean you need to set up a firewalled virtual worm farm. This thing could conceivably be studied on an ordinary box without too much worry. Though a purpose-built VM is of course ideal.

    2. Re:Shortage of malware to study? by benthurston27 · · Score: 1

      It's sort of like how doctor's show the immune system a less dangerous version of a virus for it to study (as a vaccine). The students study this trojan so they can recognize the real thing.

  8. Connection refused by The+MAZZTer · · Score: 1

    Don't worry, it looks like it's stopped now.

  9. In related news... by gmuslera · · Score: 1

    ... a metalic robot disguised as human is going door by door killing all the Liu Gongs on the phone guide of Pekin. There is only one John Connor, but countless bunnies in the future.

  10. Obfuscation. by bigattichouse · · Score: 1

    So the question is - is there buried obfiscated code - wow, look how open this is, hiding more malicious stuff in slightly more complex layers

    --
    meh
  11. Extra strength Darnitol by tepples · · Score: 1

    Darn it all...

  12. Woman's fantasy by ianare · · Score: 4, Funny

    Energizer and trojans combined : a woman's dreams come true.

    1. Re:Woman's fantasy by Anonymous Coward · · Score: 0

      If she's got enough Energizers, who needs Trojans?

    2. Re:Woman's fantasy by jrumney · · Score: 1

      Maybe she wants to share with her friends who don't have enough Energizers.

    3. Re:Woman's fantasy by Greyfox · · Score: 1

      Electrified for her pleasure? Ever put a 9 volt battery on your tongue? I don't think anyone wants that near their junk...

      --

      I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    4. Re:Woman's fantasy by Anonymous Coward · · Score: 1, Informative

      Believe it or not some people get off on it. I bought one for the wife a while back.

      http://en.wikipedia.org/wiki/Violet_wand

      Posted anonymously in my freaky corner.

  13. New Nmap 5.30BETA1 Release by fv · · Score: 5, Informative

    We just today released Nmap 5.30BETA1, which contains the version detection signature described in this post for detecting the Energizer trojan. It also includes a detection and exploitation script for a major Mac OS X vulnerability which Nmap developer Patrik Karlsson found last month and Apple finally patched this morning. There are about 100 other changes as well, including 37 new NSE scripts. You can download it free here.

    Pardon the Nmap promotion, but it seemed on-topic for the story.

  14. And here are the Videos by Anonymous Coward · · Score: 0

    Original Duracell commercial:
    http://www.youtube.com/watch?v=FNAKgApo72U

    Original Energizer Response:
    http://www.youtube.com/watch?v=5TBLQQAPS8c&feature=related

    Interestingly, Duracell seems to be bringing back their pink bunnies:
    http://www.youtube.com/watch?v=TYPuN6wJC9E