×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Taking Apart the Energizer Trojan

Soulskill posted about 4 years ago | from the dissecting-the-pink-rabbit dept.

Security 55

iago-vL writes "Researchers at SkullSecurity have written a tutorial on how they reverse engineered the Energizer Trojan and generated an Nmap probe to remotely detect infections. The Energizer Trojan is a great educational tool because its inner workings are very simplistic, and it makes minimal efforts to hide itself or conceal its purpose; it even lists what appears to be the author's name — 'liuhong' — in the source! The article provides an introduction to malware analysis, from infecting a test machine to debugging and disassembling the Trojan to writing the actual probe."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

55 comments

Multi-page article (3, Funny)

LostCluster (625375) | about 4 years ago | (#31661526)

I tried to RTFA, but it keeps going and going and going.

Re:Multi-page article (2, Funny)

Wowsers (1151731) | about 4 years ago | (#31661560)

Maybe you're thinking of the wrong brand?

Re:Multi-page article (1)

LostCluster (625375) | about 4 years ago | (#31661638)

No, I'm mocking the Energizer Bunny campaign of ads a robotic bunny left the set of its own ad and started interrupting other ads for fictional products.

Re:Multi-page article (-1, Troll)

DNS-and-BIND (461968) | about 4 years ago | (#31661750)

Are you sure you are mocking it? Or are you just repeating something that you saw on TV? You seem to have a great recall of the ads, which haven't been on TV for many years, as far as I can remember. You even remembered to properly capitalize the proper noun "Energizer Bunny". In my mind, this sort of parrotry isn't mockery. No...no, I would call a crappy ancient ad campaign that successfully implanted itself into the internal consciousness of a weak-minded Slashdot poster.

Re:Multi-page article (1)

causality (777677) | about 4 years ago | (#31661806)

No...no, I would call a crappy ancient ad campaign that successfully implanted itself into the internal consciousness of a weak-minded Slashdot poster.

That's how I feel about practically every pop-culture reference that is ever posted to Slashdot. The less relevant to the discussion the reference is, the more this is so.

Re:Multi-page article (5, Insightful)

maxume (22995) | about 4 years ago | (#31661842)

It must suck to have to start disliking stuff just because some plebs found out about it.

Re:Multi-page article (1)

causality (777677) | about 4 years ago | (#31667198)

It must suck to have to start disliking stuff just because some plebs found out about it.

I appreciate your accusation of allowing the crowd to determine my tastes, and I'm not surprised the mods rewarded you for taking the low-hanging fruit of going that route. But in truth I can like a thing and not like constant irrelevant (or barely-relevant) references to it. The map is not the territory; if I think the map is shoddy, it is not the same thing as refusing to set foot on the territory.

Re:Multi-page article (1)

Nazlfrag (1035012) | about 4 years ago | (#31665532)

You're just lucky you have that bunny burned into your psyche. I'm stuck with Jacko. [youtube.com] *shudder*

Re:Multi-page article (5, Insightful)

Anonymous Coward | about 4 years ago | (#31661838)

He accurately recalls something he hasn't seen for years and this makes him weak-minded? Is this because you do not find the information valuable? Is the definition of a strong mind then only one that stores what you believe one should store? Perhaps you could publish a paper describing the sorts of things we should be memorizing to strengthen our minds.

Re:Multi-page article (0)

Anonymous Coward | about 4 years ago | (#31666762)

Definitely not going to read TFA.

Re:Multi-page article (4, Funny)

t0p (1154575) | about 4 years ago | (#31662040)

Jeeze, you're mean! The Energizer Bunny is not the product of a "crappy ancient ad campaign"... the creature's a freaking icon! And although I can't remember the exact ad where the rabbit escapes its own ad to invade others, there have been plenty of others featuring the creature. I saw one just the other day. And it seems to me that Energizer Bunny ads have been run since forever! Well, I can't remember a time BEB (Before Energizer Bunny) so that means the thing's been around for at least 20 years! I haven't checked the fount of all human knowledge [wikipedia.org] yet, but I'm sure it will confirm my beliefs.

Go anywhere in the world, find someone who watches commercial TV with any sort of regularity and show him a picture of the Bunny - I'll bet you 1000-1 he'll know who it is. That creature isn't just an icon - it's up there with Mickey Mouse, Jesus Christ and Coca Cola. Get down on your knees and beg the Bunny-God for forgiveness!

Re:Multi-page article (2, Informative)

t0p (1154575) | about 4 years ago | (#31662190)

Well, I can't remember a time BEB (Before Energizer Bunny) so that means the thing's been around for at least 20 years! I haven't checked the fount of all human knowledge [wikipedia.org] yet, but I'm sure it will confirm my beliefs.

From the fount of all human knowledge [wikipedia.org] :

The Energizer Bunny is the marketing icon and mascot of Energizer batteries in North America. It is a pink toy rabbit wearing sunglasses and blue and white striped sandals that beats a bass drum bearing the Energizer logo. It is a parody of the preexistent Duracell Bunny, seen in Europe and Australia. It has been appearing in television commercials in North America since 1989.

Actually I think the very first battery bunny ad I can remember is the Duracell guy with the drum. But that's irrelevant - it's the Energizer Bunny who's the daddy now!

And here are the Videos (0)

Anonymous Coward | about 4 years ago | (#31666422)

Original Duracell commercial:
http://www.youtube.com/watch?v=FNAKgApo72U

Original Energizer Response:
http://www.youtube.com/watch?v=5TBLQQAPS8c&feature=related

Interestingly, Duracell seems to be bringing back their pink bunnies:
http://www.youtube.com/watch?v=TYPuN6wJC9E

Re:Multi-page article (1)

electrons_are_brave (1344423) | about 4 years ago | (#31665920)

Wow - right up till I checked with Wikipedia, I though you were all talking about the Duracell Bunny http://en.wikipedia.org/wiki/Duracell_Bunny [wikipedia.org] I hadn't realised that there was an Energizer Bunny, or maybe I just hadn't spotted that there were two different bunny species advertising two different batteries.

Maybe we didn't get the EB in Australia because the DB predated it?

Re:Multi-page article (1)

Runaway1956 (1322357) | about 4 years ago | (#31663080)

Actually, the Energizer Bunny commercials are some of the greatest commercials ever produced. They rank right up there with the Pace Picante Sauce commercials. "Get a rope!"

And, this from a guy who watches little television, and absolutely HATES marketing of any kind. Both were truly amusing series of commercials, that lasted for years, and must have actually affected shopping habits, or they wouldn't have lasted so long.

Re:Multi-page article (0)

Anonymous Coward | about 4 years ago | (#31665512)

Well, I must admit defeating Darth Vader [youtube.com] was fairly awesome for a fluffy pink bunny.

Re:Multi-page article (3, Informative)

neltana (795825) | about 4 years ago | (#31662342)

Maybe you're thinking of the wrong brand?

No, I'm mocking the Energizer Bunny campaign of ads a robotic bunny left the set of its own ad and started interrupting other ads for fictional products.

Whether you recognize the Duracell Bunny or the Energizer Bunny as a simple of everlasting battery life depends on where you are from. In Europe and Australia, Duracell has trademarked the use, in the U.S., Energizer did (they were the jonny-come-lately).

Did I just BLOW YOU MIND!

Re:Multi-page article (1)

neltana (795825) | about 4 years ago | (#31662392)

Symbol...a symbol of everlasting battery life...not simple.

Darn you "typing the wrong word"! You get me every time!

Re:Multi-page article (2, Informative)

xonar (1069832) | about 4 years ago | (#31662716)

Maybe you're thinking of the wrong brand?

No, I'm mocking the Energizer Bunny campaign of ads a robotic bunny left the set of its own ad and started interrupting other ads for fictional products.

Whether you recognize the Duracell Bunny or the Energizer Bunny as a simple of everlasting battery life depends on where you are from. In Europe and Australia, Duracell has trademarked the use, in the U.S., Energizer did (they were the jonny-come-lately).

Did I just BLOW YOU MIND!

YOU BLEW ME MIND MAN

Re:Multi-page article (1)

jrumney (197329) | about 4 years ago | (#31665360)

But the Duracell Bunny doesn't "keep going and going and ...", that's always been Energizer's catchphrase, bunny or idiotic bodybuilder.

Re:Multi-page article (5, Informative)

iago-vL (760581) | about 4 years ago | (#31661662)

Haha, I hadn't even thought of that!

I originally wrote it as a single page, but 60 images + that much text was too much, so I broke it into 4 pages. For what it's worth, I don't have any ads or anything so it's not like I'm profiting from it.

Re:Multi-page article (2, Funny)

kimvette (919543) | about 4 years ago | (#31666044)

Well when you f*** like rabbits you're bound to get a few infections now and then.

How About A Little Restraint? (2, Funny)

WrongSizeGlass (838941) | about 4 years ago | (#31661588)

Any reason they felt it necessary to use 'Trojan' and 'probe in the summary? Don't they know this is /. and it's going to generate a lot of immature posts (like this one)

Re:How About A Little Restraint? (2, Insightful)

blair1q (305137) | about 4 years ago | (#31661870)

There've been a few bait-titled posts like this the past week.

They're softening us up for 4/1.

Re:How About A Little Restraint? (0)

Anonymous Coward | about 4 years ago | (#31662022)

There've been a few bait-titled posts like this the past week.

They're softening us up for 4/1.

Damn. I'm still trying to recover from OMG PONIES from several years back. I'd like to think that The Editors would do something genuinely funny/original/witty for 4/1 (even doing NOTHING would be acceptable). Alas, I'm not holding my breath.

you dont need it!!! (1)

Ingcuervo (1349561) | about 4 years ago | (#31661612)

There is no need of a "procedure" to get rid of a pink little bunny!!!!! they are just making you think that you NEED that procedure, damn I hate conspiracies!!!!

FOOLS! (3, Funny)

oldhack (1037484) | about 4 years ago | (#31661630)

it even lists what appears to be the author's name -- 'liuhong' -- in the source!

That's what liuhong wants you to think!

Re:FOOLS! (-1, Troll)

Anonymous Coward | about 4 years ago | (#31661812)

In Chinese, "liuhong" means "You're a dumbass".

Now if only... (1)

Manip (656104) | about 4 years ago | (#31661670)

Next challenge write an NMap probe that can defend them from this furious slashdotting that has thrown their site offline.

PS - I realise that makes no sense. But it sounds better than memcache filter or hammer control.

Re:Now if only... (0)

Anonymous Coward | about 4 years ago | (#31661886)

I dunno how this sounds to many folks out there in /. land, but why not view the cached page via Google/Bing/etc? At least you'd be able to view it without having to crash some poor guy's site...

Shortage of malware to study? (3, Funny)

jjoelc (1589361) | about 4 years ago | (#31661832)

The summary makes it sound like there is a shortage of malware for students to study... Maybe it is because of all the linux boxes in the academic labs??

Re:Shortage of malware to study? (1)

FlyingBishop (1293238) | about 4 years ago | (#31662082)

Oh, they can study it, but can they study it safely? A worm, even in a firewalled virtual worm farm, is not something to be trifled with.

Well, and I mean you need to set up a firewalled virtual worm farm. This thing could conceivably be studied on an ordinary box without too much worry. Though a purpose-built VM is of course ideal.

Re:Shortage of malware to study? (1)

benthurston27 (1220268) | about 4 years ago | (#31668012)

It's sort of like how doctor's show the immune system a less dangerous version of a virus for it to study (as a vaccine). The students study this trojan so they can recognize the real thing.

In related news... (1)

gmuslera (3436) | about 4 years ago | (#31662014)

... a metalic robot disguised as human is going door by door killing all the Liu Gongs on the phone guide of Pekin. There is only one John Connor, but countless bunnies in the future.

mod d0wn (-1, Offtopic)

Anonymous Coward | about 4 years ago | (#31662228)

infinitesimally and sling or table FUCKiNG USELESS Tossers, went out

Obfuscation. (1)

bigattichouse (527527) | about 4 years ago | (#31662352)

So the question is - is there buried obfiscated code - wow, look how open this is, hiding more malicious stuff in slightly more complex layers

Woman's fantasy (4, Funny)

ianare (1132971) | about 4 years ago | (#31662638)

Energizer and trojans combined : a woman's dreams come true.

Re:Woman's fantasy (0)

Anonymous Coward | about 4 years ago | (#31663386)

If she's got enough Energizers, who needs Trojans?

Re:Woman's fantasy (1)

Greyfox (87712) | about 4 years ago | (#31666602)

Electrified for her pleasure? Ever put a 9 volt battery on your tongue? I don't think anyone wants that near their junk...

New Nmap 5.30BETA1 Release (5, Informative)

fv (95460) | about 4 years ago | (#31663170)

We just today released Nmap 5.30BETA1 [seclists.org] , which contains the version detection signature described in this post for detecting the Energizer trojan. It also includes a detection and exploitation script for a major Mac OS X vulnerability [cqure.net] which Nmap developer Patrik Karlsson found last month and Apple finally patched this morning. There are about 100 other changes as well, including 37 new NSE scripts [nmap.org] . You can download it free here [nmap.org] .

Pardon the Nmap promotion, but it seemed on-topic for the story.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...