For a description of this category, see malware NSE category in the Nmap documentation.

Scripts

auth-spoof

Checks for an identd (auth) server which is spoofing its replies.

dns-zeustracker

Checks if the target IP range is part of a Zeus botnet by querying ZTDNS @ abuse.ch. Please review the following information before you start to scan:

ftp-proftpd-backdoor

Tests for the presence of the ProFTPD 1.3.3c backdoor reported as BID 45150. This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the ftp-proftpd-backdoor.cmd script argument.

ftp-vsftpd-backdoor

Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 (CVE-2011-2523). This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the exploit.cmd or ftp-vsftpd-backdoor.cmd script arguments.

http-google-malware

Checks if hosts are on Google's blacklist of suspected malware and phishing servers. These lists are constantly updated and are part of Google's Safe Browsing service.

http-malware-host

Looks for signature of known server compromises.

http-virustotal

Checks whether a file has been determined as malware by Virustotal. Virustotal is a service that provides the capability to scan a file or check a checksum against a number of the major antivirus vendors. The script uses the public API which requires a valid API key and has a limit on 4 queries per minute. A key can be acquired by registering as a user on the virustotal web page:

irc-unrealircd-backdoor

Checks if an IRC server is backdoored by running a time-based command (ping) and checking how long it takes to respond.

smb-double-pulsar-backdoor

Checks if the target machine is running the Double Pulsar SMB backdoor.

smtp-strangeport

Checks if SMTP is running on a non-standard port.