Archive

Posts Tagged ‘conficker’

Scanning for the Conficker Worm

April 1, 2009 1 comment

The new beta version of nmap can scan your network for conficker activity. This is a quick easy way to check to see if you are infected; Beware there may be some false positives but at least this will start you down the path of detection. This example uses a Debian Lenny machine to scan an entire network in less than 2 minutes…quick easy and effective.

Download the nmap beta from HERE

Place it in your /usr directory and uncompress it and untar it.

bzip2 -d nmap*

tar xvf nmap*

Now move into the directory it created.
cd /usr/nmap-4.85BETA6

./configure
make
make install

If you have errors, you will need to correct them.

Now run this command that will look for the worm, note you must change your network addresses to match your situation.

/usr/nmap-4.85BETA6# nmap -PN -d -p445 –script=smb-check-vulns –script-args=safe=1 192.168.5.0/24

Here is what you are looking for:
smb-check-vulns:
MS08-067: FIXED
Conficker: Likely INFECTED
regsvc DoS: VULNERABLE

These are evidence of infection so you need to patch these machines or rebuild them. Remember to verify so that it is not a false positive. Note in the example those machines with blocking firewalls or if they are Linux will not show open ports for Microsoft.

Warning: File ./nselib/ exists, but Nmap is using /usr/local/share/nmap/nselib/ for security and consistency reasons. set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).

Starting Nmap 4.85BETA6 ( http://nmap.org ) at 2009-04-01 06:29 MDT
————— Timing report —————
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
———————————————
Initiating ARP Ping Scan at 06:29
Scanning 100 hosts [1 port/host]
Packet capture filter (device eth0): arp and ether dst host 00:1B:FC:68:68:33
Completed ARP Ping Scan at 06:29, 0.84s elapsed (100 total hosts)
Overall sending rates: 235.14 packets / s, 9875.82 bytes / s.
mass_rdns: Using DNS server 12.32.36.123
Initiating Parallel DNS resolution of 100 hosts. at 06:29
mass_rdns: 0.25s 0/2 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 2]
Completed Parallel DNS resolution of 100 hosts. at 06:29, 0.26s elapsed
DNS resolution of 2 IPs took 0.26s. Mode: Async [#: 1, OK: 0, NX: 2, DR: 0, SF: 0, TR: 2, CN: 0]
Initiating Parallel DNS resolution of 1 host. at 06:29
mass_rdns: 0.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 06:29, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 06:29
Scanning 2 hosts [1 port/host]
Packet capture filter (device eth0): dst host 192.168.5.100 and (icmp or ((tcp or udp) and (src host 192.168.5.50 or src host 192.168.5.79)))
Completed SYN Stealth Scan at 06:29, 0.01s elapsed (2 total ports)
Overall sending rates: 335.01 packets / s, 14740.37 bytes / s.
NSE: Initiating script scanning.
NSE: Script scanning 2 hosts.
NSE: Initialized 1 rules
NSE: Matching rules.
NSE: Running scripts.
NSE: Script scanning completed.
Host 192.168.5.50 is up, received arp-response (0.00082s latency).
Scanned at 2009-04-01 06:29:01 MDT for 1s
Interesting ports on 192.168.5.50:
PORT STATE SERVICE REASON
445/tcp closed microsoft-ds reset
MAC Address: 00:40:63:E9:32:88 (VIA Technologies)
Final times for host: srtt: 825 rttvar: 4758 to: 100000

Host 192.168.5.79 is up, received arp-response (0.0071s latency).
Scanned at 2009-04-01 06:29:01 MDT for 1s
Interesting ports on 192.168.5.79:
PORT STATE SERVICE REASON
445/tcp closed microsoft-ds reset
MAC Address: 00:A0:C5:40:38:C1 (Zyxel Communication)
Final times for host: srtt: 7118 rttvar: 5901 to: 100000

Initiating ARP Ping Scan at 06:29
Scanning 155 hosts [1 port/host]
Packet capture filter (device eth0): arp and ether dst host 00:1B:FC:68:68:33
Completed ARP Ping Scan at 06:29, 1.68s elapsed (155 total hosts)
Overall sending rates: 184.24 packets / s, 7737.87 bytes / s.
Initiating Parallel DNS resolution of 155 hosts. at 06:29
mass_rdns: 0.14s 0/3 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 3]
Completed Parallel DNS resolution of 155 hosts. at 06:29, 0.15s elapsed
DNS resolution of 3 IPs took 0.15s. Mode: Async [#: 1, OK: 0, NX: 3, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 06:29
Scanning 192.168.5.100 [1 port]
Packet capture filter (device lo): dst host 192.168.5.100 and (icmp or ((tcp or udp) and (src host 192.168.5.100)))
Completed SYN Stealth Scan at 06:29, 0.00s elapsed (1 total ports)
Overall sending rates: 3174.60 packets / s, 139682.54 bytes / s.
NSE: Initiating script scanning.
NSE: Script scanning 192.168.5.100.
NSE: Matching rules.
NSE: Running scripts.
NSE: Script scanning completed.
Host 192.168.5.100 is up, received user-set (0.000053s latency).
Scanned at 2009-04-01 06:29:04 MDT for 0s
Interesting ports on 192.168.5.100:
PORT STATE SERVICE REASON
445/tcp closed microsoft-ds reset
Final times for host: srtt: 53 rttvar: 5000 to: 100000

Initiating SYN Stealth Scan at 06:29
Scanning 3 hosts [1 port/host]
Packet capture filter (device eth0): dst host 192.168.5.100 and (icmp or ((tcp or udp) and (src host 192.168.5.101 or src host 192.168.5.102 or src host 192.168.5.222)))
Completed SYN Stealth Scan at 06:29, 0.21s elapsed (3 total ports)
Overall sending rates: 23.98 packets / s, 1055.22 bytes / s.
NSE: Initiating script scanning.
NSE: Script scanning 3 hosts.
NSE: Matching rules.
NSE: Running scripts.
NSE: Script scanning completed.
Host 192.168.5.101 is up, received arp-response (0.0052s latency).
Scanned at 2009-04-01 06:29:02 MDT for 2s
Interesting ports on 192.168.5.101:
PORT STATE SERVICE REASON
445/tcp closed microsoft-ds reset
MAC Address: 00:11:95:69:2E:F8 (D-Link)
Final times for host: srtt: 5195 rttvar: 4440 to: 100000

Host 192.168.5.102 is up, received arp-response (0.00043s latency).
Scanned at 2009-04-01 06:29:02 MDT for 2s
Interesting ports on 192.168.5.102:
PORT STATE SERVICE REASON
445/tcp filtered microsoft-ds no-response
MAC Address: 00:0C:F1:D1:7E:E5 (Intel)
Final times for host: srtt: 434 rttvar: 3805 to: 100000

Host 192.168.5.222 is up, received arp-response (0.0080s latency).
Scanned at 2009-04-01 06:29:02 MDT for 2s
Interesting ports on 192.168.5.222:
PORT STATE SERVICE REASON
445/tcp filtered microsoft-ds no-response
MAC Address: 00:14:BF:7F:59:B0 (Cisco-Linksys)
Final times for host: srtt: 8046 rttvar: 8046 to: 100000

Read from /usr/local/share/nmap: nmap-mac-prefixes nmap-services.
Nmap done: 254 IP addresses (6 hosts up) scanned in 3.29 seconds
Raw packets sent: 515 (21.646KB) | Rcvd: 11 (456B)

Categories: Desktop User Tags: , ,
Follow

Get every new post delivered to your Inbox.

Join 58 other followers