So while the script finds hosts there have been several discussions on twitter regarding the authenticity of the findings. The easiest way to put these to bed is to actually utilize the ping functionality to do what it is designed to do, and to obtain some details about the host - which simply couldn't be done if the finding was a one-byte-false-positive.

The commandline version of the backdoor produces some fairly verbose output, and if this script could be modified to produce this same output, there would be zero question about false positives.

I think the OS details come from earlier packets and so probably aren't a more reliable indicator or infection but @FireFart added an awesome pull request to add the XOR key details in that do come from the ping response and so I've merged that in.