Tomorrow is April 1st, and apart from funny pranks and silly hats — the Conficker worm will rear its ugly head. As recently as yesterday, some early (not that early I realize) detection programs are available. And they’re free.
The first is simple to use, but slow as crap. In the author’s defense, it’s just a proof of concept. But it works. 
It’s written in Python, and has both the python script (which requires some additional libraries in Linux) and a windows version that is all built into a package.
This site has links to both versions, along with some instructions. It seems to be able to keep up with the traffic it’s getting, whereas some other sites are getting crumbled as admins scramble to sniff their networks.
The second method uses a brand spanking new version of NMAP to do the detecting. The advantage is it’s much quicker at scanning larger networks. The disadvantage is it requires a bit of commandline fu. Fear not, it’s as easy as copy/paste.
First, get the version for your operating system. NOTE: You MUST get nmap-4.85BETA5 because earlier versions won’t scan for Conficker.
Once you install nmap, you’ll want to run the command:
nmap -PN -d -p445 –script=smb-check-vulns –script-args=safe=1 [network_range]
Where [network_range] is something like 10.10.5.1-255 or even 10.10.0.0/16.
You’ll need to look through the results for information like:
Host script results:
| smb-check-vulns:
| MS08-067: FIXED
| Conficker: Likely INFECTED
|_ regsvc DoS: VULNERABLE
And then fix/patch those hosts. I’d suggest sending the results to a text file, and grepping for the word VULNERABLE or INFECTED — but those types of instructions are beyond the scope of this quick hack of a post.
#1 by MWT on March 31, 2009 - 3:05 pm
Quote
Hmmm. Okay, so I downloaded the “easy but slow” thing, and upon opening it, there are three exe files. Which one should I click?
#2 by Shawn Powers on March 31, 2009 - 3:09 pm
Quote
In Windows you need to open a command window. (Start | Run | type “cmd” | enter)
Change to the directory you extracted the .zip file into.
To scan a single IP address, type scanner.exe [ip_address]
To scan a range of IP addresses, type scs.exe [first_ip_in_range] [last_ip_in_range]
Or just type the file.exe program with no arguments for instructions to be displayed on the screen.
Cheers!
#3 by Matt McMahon on March 31, 2009 - 3:16 pm
Quote
Great summary, Shawn. Couple of add’l notes. First, the author of the smb-check-vulns script (Ron Bowes) has some very recent updates on his blog and yes, that site is being hit pretty hard right now, don’t expect ninja-like-speed. To even save a visit, I’ll summarize…
*ahem*
The 4.85BETA5 version of nmap does return some false positives and will, under some circumstances, fail to even run the script on machines when it should (that one bit me). The author is keeping the code updated by the minute and has fixed these bugs, but hasn’t (yet) released a BETA6. The easiest way for you to keep up is with his SVN repository. Instructions are on the website above, but in an effort to save mouse-clicks, I’ll copy ‘n’ paste:
svn co –username=guest –password=” \
svn://svn.insecure.org/nmap
cd nmap
./configure
make
make install
This is source code and built fine in my Slackware install, YMMV…
#4 by Shawn Powers on March 31, 2009 - 3:21 pm
Quote
Thanks Matt!
#5 by MWT on March 31, 2009 - 3:26 pm
Quote
“The system cannot execute the specified program.” T.T
#6 by Shawn Powers on March 31, 2009 - 3:28 pm
Quote
MWT: Are you running Windows?
#7 by MWT on March 31, 2009 - 3:33 pm
Quote
Yeah, XP.
Well, it’s running on top of solaris, but it still needs to be scanned.
#8 by Shawn Powers on March 31, 2009 - 3:50 pm
Quote
MWT: For a single machine, try this: http://vil.nai.com/vil/averttools.aspx
The first link is Stinger, with support for Conficker.
#9 by alex on March 31, 2009 - 3:53 pm
Quote
I’ve come across a strange issue, not sure if it means computers are infected, but whenever I try to scan using scs or nmap the machine being scanned will go offline, and needs a reboot to get connectivity again. I’m running windows updates and antivirus right now just in case. Have you seen this problem?
#10 by Shawn Powers on March 31, 2009 - 3:55 pm
Quote
Alex:
I haven’t seen the problem — but like Matt mentions, NMAP has caused a few issues, especially if used with the unsafe=1 flag.
I’d probably follow that link I gave to MWT from the local machine in question, run Stinger, and see what it finds.
#11 by MWT on March 31, 2009 - 4:08 pm
Quote
Stinger is running on my computer now. Thanks!
#12 by MOM on March 31, 2009 - 6:50 pm
Quote
A BIG confused WHAT!
#13 by Paul Cafuk on March 31, 2009 - 10:21 pm
Quote
Thanks Shawn!! Good thing I decided to check my email! and I thought I was done working until tomoorow morning!!!
#14 by Shawn Powers on March 31, 2009 - 10:28 pm
Quote
Glad to help, Paul.
Pingback: Anonymous
#15 by Jose on April 2, 2009 - 12:36 pm
Quote
I wrote a small script that parses the nmap output and uses nbtscan to retrieve the netbios name and outputs vulnerable / infected machine in comma delimited format. It works well for us, hope it helps!
Download:
http://jdltech.com/conficker/
#16 by Shawn Powers on April 2, 2009 - 9:19 pm
Quote
Thanks a ton, Jose. That’s very useful.
#17 by MikeP on April 7, 2009 - 3:29 pm
Quote
Hey, Port 25 smtp is a no go…
Thanks.
#18 by LA Dude on March 10, 2010 - 4:46 am
Quote
Any idea what this year’s version may be? I’m a computer repair intern and would love to surprise my boss by being head’s up on something like this! I doubt they would be considerate enough to newbie pc techs like me and just call it conficker 2.0!