Comments on: Detecting Conficker with NMAP or scs

By: Computer Repair Los Angeles|Marina Del Rey|Santa Monica

Computer Repair Los Angeles|Marina Del Rey|Santa Monica — Mon, 30 May 2011 01:24:56 +0000

Back in March 2009 here was the word: “Millions of PCs have been infected with the Conficker worm, and word has it the program may cause mischief tomorrow—April Fool’s Day. But routing it out needn’t be difficult, the AP reports.

Conficker Worm wants to remain undetected, as Conficker Worm downloads more malware onto your computer, contacts ISPs to get directions from a hacker, and places your computer in the Conficker Worm botnet.”

I was looking for it on the machines I support.

However, my existing anti-malware tools did their job. We came out clean.

However, Shawn the work you did back then was helpful to those who were in trouble.

Therefore, keep up the good work.

Johnnie James
The Malware Killer
Computer Repair Santa Monica

By: computer repair santa monica

computer repair santa monica — Sat, 28 May 2011 05:07:14 +0000

Nmap is a great tool all-around. I use it myself for network security and auditing systems. Also Shawn I think it’s great how you share your faith so openly. We’ve have a lot in common!

By: LA Dude

LA Dude — Wed, 10 Mar 2010 09:46:36 +0000

Any idea what this year’s version may be? I’m a computer repair intern and would love to surprise my boss by being head’s up on something like this! I doubt they would be considerate enough to newbie pc techs like me and just call it conficker 2.0!

By: MikeP

MikeP — Tue, 07 Apr 2009 20:29:49 +0000

Hey, Port 25 smtp is a no go…

Thanks.

By: Shawn Powers

Shawn Powers — Fri, 03 Apr 2009 02:19:44 +0000

Thanks a ton, Jose. That’s very useful.

By: Jose

Jose — Thu, 02 Apr 2009 17:36:49 +0000

I wrote a small script that parses the nmap output and uses nbtscan to retrieve the netbios name and outputs vulnerable / infected machine in comma delimited format. It works well for us, hope it helps!

Download:
http://jdltech.com/conficker/

By: Anonymous

Anonymous — Wed, 01 Apr 2009 06:15:45 +0000

[...] Detecting Conficker with NMAP or scs [...]

By: Shawn Powers

Shawn Powers — Wed, 01 Apr 2009 03:28:04 +0000

Glad to help, Paul.

By: Paul Cafuk

Paul Cafuk — Wed, 01 Apr 2009 03:21:12 +0000

Thanks Shawn!! Good thing I decided to check my email! and I thought I was done working until tomoorow morning!!!

By: MOM

MOM — Tue, 31 Mar 2009 23:50:40 +0000

A BIG confused WHAT!

By: MWT

MWT — Tue, 31 Mar 2009 21:08:00 +0000

Stinger is running on my computer now. Thanks!

By: Shawn Powers

Shawn Powers — Tue, 31 Mar 2009 20:55:14 +0000

Alex:

I haven’t seen the problem — but like Matt mentions, NMAP has caused a few issues, especially if used with the unsafe=1 flag.

I’d probably follow that link I gave to MWT from the local machine in question, run Stinger, and see what it finds.

By: alex

alex — Tue, 31 Mar 2009 20:53:03 +0000

I’ve come across a strange issue, not sure if it means computers are infected, but whenever I try to scan using scs or nmap the machine being scanned will go offline, and needs a reboot to get connectivity again. I’m running windows updates and antivirus right now just in case. Have you seen this problem?

By: Shawn Powers

Shawn Powers — Tue, 31 Mar 2009 20:50:55 +0000

MWT: For a single machine, try this: http://vil.nai.com/vil/averttools.aspx

The first link is Stinger, with support for Conficker.

By: MWT

MWT — Tue, 31 Mar 2009 20:33:15 +0000

Yeah, XP.

Well, it’s running on top of solaris, but it still needs to be scanned.

By: Shawn Powers

Shawn Powers — Tue, 31 Mar 2009 20:28:24 +0000

MWT: Are you running Windows?

By: MWT

MWT — Tue, 31 Mar 2009 20:26:53 +0000

“The system cannot execute the specified program.” T.T

By: Shawn Powers

Shawn Powers — Tue, 31 Mar 2009 20:21:12 +0000

Thanks Matt!

By: Matt McMahon

Matt McMahon — Tue, 31 Mar 2009 20:16:27 +0000

Great summary, Shawn. Couple of add’l notes. First, the author of the smb-check-vulns script (Ron Bowes) has some very recent updates on his blog and yes, that site is being hit pretty hard right now, don’t expect ninja-like-speed. To even save a visit, I’ll summarize…

*ahem*

The 4.85BETA5 version of nmap does return some false positives and will, under some circumstances, fail to even run the script on machines when it should (that one bit me). The author is keeping the code updated by the minute and has fixed these bugs, but hasn’t (yet) released a BETA6. The easiest way for you to keep up is with his SVN repository. Instructions are on the website above, but in an effort to save mouse-clicks, I’ll copy ‘n’ paste:

svn co –username=guest –password=”
svn://svn.insecure.org/nmap
cd nmap
./configure
make
make install

This is source code and built fine in my Slackware install, YMMV…

By: Shawn Powers

Shawn Powers — Tue, 31 Mar 2009 20:09:01 +0000

In Windows you need to open a command window. (Start | Run | type “cmd” | enter)

Change to the directory you extracted the .zip file into.

To scan a single IP address, type scanner.exe [ip_address]

To scan a range of IP addresses, type scs.exe [first_ip_in_range] [last_ip_in_range]

Or just type the file.exe program with no arguments for instructions to be displayed on the screen.

Cheers!

By: MWT

MWT — Tue, 31 Mar 2009 20:05:24 +0000

Hmmm. Okay, so I downloaded the "easy but slow" thing, and upon opening it, there are three exe files. Which one should I click?