Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Locate Conficker infected hosts with a network scan!

Published: 2009-03-30
Last Updated: 2009-03-30 22:15:31 UTC
by Daniel Wesemann (Version: 4)
5 comment(s)

The Honeynet Project has discovered an anomaly in Conficker that makes it possible to detect infected hosts with an elaborate fingerprint scan over the network. This is great news if you suspect an infection and have no other means to check, or if you simply want to double-check information that your other defense mechanisms (IDS, AntiVirus, etc) provide.

The write-up and scanning tool are available on the Honeynet Website.
Nessus Plug-In 36036:
Instructions on how to scan for Conficker with NMAP: . has specific tips on how to scan large networks with the new NMAP feature.

Be careful when searching for any of these tools with a search engine. A good part of the search results returned on the keyword "Conficker" are scare-ware and fake anti-virus that try to cash in on the Conficker scare. We have a summary of removal tools with links available on

The Honeynet project have also published a new write-up at

Keywords: conficker
5 comment(s)
Diary Archives