We received some good responses regarding Conficker detection recently. Here are a couple of hints for people that are actively fighting infections on their networks. Update 1: Fellow handler Andre Ludwig points out some additional information about the above information. First, the nmap detection may only detect one or two variants of Conficker. The p2p-conficker.nse script states that it detects Conficker.c and higher. For a script that attempts to identify older versions of Conficker, check out the scs2.py script from here: http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker -Kyle Haugsness |
Kyle 112 Posts Sep 26th 2009 |
Thread locked Subscribe |
Sep 26th 2009 1 decade ago |
Consider monitoring your DNS queries. Conficker.C has some ccTLD such as AG, BO, LC, HN,PE (see http://extraexploit.blogspot.com/2009/04/conficker-first-20-days-tld-algorithm.html).
|
Anonymous |
Quote |
Sep 28th 2009 1 decade ago |
Please use option -n explicitly if you don't want the risk of too many DNS requests!
$ man nmap ... -n/-R: Never do DNS resolution/Always resolve [default: sometimes] ... lol @ "sometimes" |
Anonymous |
Quote |
Sep 28th 2009 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!