Anyone used this tool to scan for conficker? http://www.doxpara.com/?p=1285 http://iv.cs.uni-bonn.de/uploads/media/scs.zip
Taming Conficker, The Easy Way We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project's Tillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will tell you. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. On Tue, Mar 31, 2009 at 4:25 PM, Tim Mugherini <[email protected]> wrote: > Thanks just read that too > > On 3/31/09, Nick Baronian <[email protected]> wrote: >> I believe vulnerable machines will crash. >> http://seclists.org/nmap-dev/2009/q1/0878.html >> >> If you were getting mixed results you might want to re-grab the latest svn. >> It has been patched several times already today and corrected some issues I >> was seeing. >> >> 2009/3/31 Tim Mugherini <[email protected]> >> >>> I got that too went with -script-args unsafe=1 and seems to work for most >>> >>> Think someone mentioned that yesterday somewhere >>> >>> not sure what the downside may be >>> >>> 2009/3/31 Dan Baxter <[email protected]> >>> >>>> Thanks! That helps a lot. However, my results aren't quite what I'd >>>> hoped. Every machine that has 445 open, I get the result below. What >>>> would >>>> make the Conficker scan fail? Suggestions? Thanks >>>> >>>> >>>> >>>> PORT STATE SERVICE >>>> >>>> 445/tcp open microsoft-ds >>>> >>>> Host script results: >>>> | smb-check-vulns: >>>> | MS08-067: FIXED >>>> | Conficker: ERROR: SMB: Failed to receive bytes: ERROR >>>> |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run) >>>> >>>> >>>> >>>> Dan Baxter >>>> ------------------------------------------------- >>>> Quis custodiet ipsos custodes? >>>> >>>> >>>> 2009/3/31 Russell Butturini >>>> <[email protected]<https://mail.google.com/mail?view=cm&tf=0&[email protected]> >>>> > >>>> >>>>> I found you need to add the –vv (very verbose) flag using that >>>>> command. Otherwise you don’t see the script results. See below: >>>>> >>>>> >>>>> >>>>> Discovered open port 445/tcp on x.x.x.x >>>>> >>>>> Completed SYN Stealth Scan at 09:29, 0.00s elapsed (1 total ports) >>>>> >>>>> NSE: Initiating script scanning. >>>>> >>>>> Initiating NSE at 09:29 >>>>> >>>>> Completed NSE at 09:29, 0.50s elapsed >>>>> >>>>> Host x.x.x.x appears to be up ... good. >>>>> >>>>> Scanned at 2009-03-31 09:29:47 Central Daylight Time for 1s >>>>> >>>>> Interesting ports on x.x.x.x: >>>>> >>>>> PORT STATE SERVICE >>>>> >>>>> 445/tcp open microsoft-ds >>>>> >>>>> MAC Address: 00:11:25:E9:04:52 (IBM) >>>>> >>>>> >>>>> >>>>> Host script results: >>>>> >>>>> | smb-check-vulns: >>>>> >>>>> | MS08-067: FIXED >>>>> >>>>> | Conficker: Likely CLEAN >>>>> >>>>> *From:* >>>>> [email protected]<https://mail.google.com/mail?view=cm&tf=0&[email protected]>[mailto: >>>>> [email protected]<https://mail.google.com/mail?view=cm&tf=0&[email protected]>] >>>>> *On Behalf Of *Dan Baxter >>>>> *Sent:* Tuesday, March 31, 2009 9:01 AM >>>>> *To:* PaulDotCom Security Weekly Mailing List >>>>> *Subject:* Re: [Pauldotcom] Scanning for Confiker via nmap >>>>> >>>>> >>>>> >>>>> So forgive my lack of nmap-fu, but if I run this what am I looking for? >>>>> I get back responses that list some with 445 open, some closed and a few >>>>> filtered. How do I determine which may be infected. >>>>> >>>>> >>>>> for clarification I'm running nmap -p 445 --script smb-check-vulns.nse >>>>> >>>>> Thanks >>>>> >>>>> Dan Baxter >>>>> ------------------------------------------------- >>>>> Quis custodiet ipsos custodes? >>>>> >>>>> >>>>> _______________________________________________ >>>>> Pauldotcom mailing list >>>>> [email protected]<https://mail.google.com/mail?view=cm&tf=0&[email protected]> >>>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>>> Main Web Site: http://pauldotcom.com >>>>> >>>> >>>> >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>>> >>> >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> > > -- > Sent from my mobile device > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
