Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Locate Conficker infected hosts with a network scan!

Published: 2009-03-30
Last Updated: 2009-03-30 22:15:31 UTC
by Daniel Wesemann (Version: 4)
5 comment(s)

The Honeynet Project has discovered an anomaly in Conficker that makes it possible to detect infected hosts with an elaborate fingerprint scan over the network. This is great news if you suspect an infection and have no other means to check, or if you simply want to double-check information that your other defense mechanisms (IDS, AntiVirus, etc) provide.

The write-up and scanning tool are available on the Honeynet Website.
Nessus Plug-In 36036: www.nessus.org
Instructions on how to scan for Conficker with NMAP: http://www.skullsecurity.org/blog/?p=209 . http://seclists.org/nmap-dev/2009/q1/0869.html has specific tips on how to scan large networks with the new NMAP feature.

Be careful when searching for any of these tools with a search engine. A good part of the search results returned on the keyword "Conficker" are scare-ware and fake anti-virus that try to cash in on the Conficker scare. We have a summary of removal tools with links available on isc.sans.org/conficker

The Honeynet project have also published a new write-up at http://www.honeynet.org/papers/conficker

Keywords: conficker
5 comment(s)
Diary Archives