Locate Conficker infected hosts with a network scan!

Published: 2009-03-30. Last Updated: 2009-03-30 22:15:31 UTC
by Daniel Wesemann (Version: 4)
5 comment(s)

The Honeynet Project has discovered an anomaly in Conficker that makes it possible to detect infected hosts with an elaborate fingerprint scan over the network. This is great news if you suspect an infection and have no other means to check, or if you simply want to double-check information that your other defense mechanisms (IDS, AntiVirus, etc) provide.

The write-up and scanning tool are available on the Honeynet Website.
Nessus Plug-In 36036: www.nessus.org
Instructions on how to scan for Conficker with NMAP: http://www.skullsecurity.org/blog/?p=209 . http://seclists.org/nmap-dev/2009/q1/0869.html has specific tips on how to scan large networks with the new NMAP feature.

Be careful when searching for any of these tools with a search engine. A good part of the search results returned on the keyword "Conficker" are scare-ware and fake anti-virus that try to cash in on the Conficker scare. We have a summary of removal tools with links available on isc.sans.org/conficker

The Honeynet project have also published a new write-up at http://www.honeynet.org/papers/conficker

Keywords: conficker
5 comment(s)

Comments

What's the chances of a false positive? Any chance of the Python package getting me a bloody nose if I run the red flag up, based on its output ? From my reading, it does appear to scan for a specific response from a specific packet, but just wondering.. Thanks
Hi, http://www.doxpara.com/?p=1285 mentions that they expect tools to scan the network from mcafee, qualys soon. Havent found any Win binaries yet. Anyone know better?
there's also a nessus plugin, ID: 36036, if you're licensed. also available as an nmap script, smb-check-vulns.nse
Symantec Endpoint Protection detects and blocks the Conficker scan, both at the source workstation and the destination. If you run this on a network with SEP installed with Network Threat Protection enabled you will generate a lot of alerts.
Is something happening to download.insecure.org? maybe somebody updating files? maybe somebody causing problems?
i am getting a 403 message saying that there is additionally a 404 message.

Diary Archives