Detecting Conficker with NMAP or scs

Conficker isn't nearly this cuteTomorrow is April 1st, and apart from funny pranks and silly hats — the Conficker worm will rear its ugly head. As recently as yesterday, some early (not that early I realize) detection programs are available. And they’re free.

The first is simple to use, but slow as crap. In the author’s defense, it’s just a proof of concept. But it works. 🙂 It’s written in Python, and has both the python script (which requires some additional libraries in Linux) and a windows version that is all built into a package.

This site has links to both versions, along with some instructions. It seems to be able to keep up with the traffic it’s getting, whereas some other sites are getting crumbled as admins scramble to sniff their networks.

The second method uses a brand spanking new version of NMAP to do the detecting. The advantage is it’s much quicker at scanning larger networks. The disadvantage is it requires a bit of commandline fu. Fear not, it’s as easy as copy/paste.

First, get the version for your operating system. NOTE: You MUST get nmap-4.85BETA5 because earlier versions won’t scan for Conficker.

Once you install nmap, you’ll want to run the command:

nmap -PN -d -p445 –script=smb-check-vulns –script-args=safe=1 [network_range]

Where [network_range] is something like 10.10.5.1-255 or even 10.10.0.0/16.

You’ll need to look through the results for information like:

Host script results:
| smb-check-vulns:
| MS08-067: FIXED
| Conficker: Likely INFECTED
|_ regsvc DoS: VULNERABLE

And then fix/patch those hosts. I’d suggest sending the results to a text file, and grepping for the word VULNERABLE or INFECTED — but those types of instructions are beyond the scope of this quick hack of a post. 🙂

21 thoughts on “Detecting Conficker with NMAP or scs”

  1. In Windows you need to open a command window. (Start | Run | type “cmd” | enter)

    Change to the directory you extracted the .zip file into.

    To scan a single IP address, type scanner.exe [ip_address]

    To scan a range of IP addresses, type scs.exe [first_ip_in_range] [last_ip_in_range]

    Or just type the file.exe program with no arguments for instructions to be displayed on the screen.

    Cheers! 🙂

    Reply
  2. Great summary, Shawn. Couple of add’l notes. First, the author of the smb-check-vulns script (Ron Bowes) has some very recent updates on his blog and yes, that site is being hit pretty hard right now, don’t expect ninja-like-speed. To even save a visit, I’ll summarize…

    *ahem*

    The 4.85BETA5 version of nmap does return some false positives and will, under some circumstances, fail to even run the script on machines when it should (that one bit me). The author is keeping the code updated by the minute and has fixed these bugs, but hasn’t (yet) released a BETA6. The easiest way for you to keep up is with his SVN repository. Instructions are on the website above, but in an effort to save mouse-clicks, I’ll copy ‘n’ paste:

    svn co –username=guest –password=”
    svn://svn.insecure.org/nmap
    cd nmap
    ./configure
    make
    make install

    This is source code and built fine in my Slackware install, YMMV…

    Reply
  3. I’ve come across a strange issue, not sure if it means computers are infected, but whenever I try to scan using scs or nmap the machine being scanned will go offline, and needs a reboot to get connectivity again. I’m running windows updates and antivirus right now just in case. Have you seen this problem?

    Reply
  4. Alex:

    I haven’t seen the problem — but like Matt mentions, NMAP has caused a few issues, especially if used with the unsafe=1 flag.

    I’d probably follow that link I gave to MWT from the local machine in question, run Stinger, and see what it finds.

    Reply
  5. Pingback: Anonymous
  6. Any idea what this year’s version may be? I’m a computer repair intern and would love to surprise my boss by being head’s up on something like this! I doubt they would be considerate enough to newbie pc techs like me and just call it conficker 2.0!

    Reply
  7. Back in March 2009 here was the word: “Millions of PCs have been infected with the Conficker worm, and word has it the program may cause mischief tomorrow—April Fool’s Day. But routing it out needn’t be difficult, the AP reports.

    Conficker Worm wants to remain undetected, as Conficker Worm downloads more malware onto your computer, contacts ISPs to get directions from a hacker, and places your computer in the Conficker Worm botnet.”

    I was looking for it on the machines I support.

    However, my existing anti-malware tools did their job. We came out clean.

    However, Shawn the work you did back then was helpful to those who were in trouble.

    Therefore, keep up the good work.

    Johnnie James
    The Malware Killer
    Computer Repair Santa Monica

    Reply

Leave a Comment