Hiya guys, this is a super quick post as I am busy at work, but as mentioned on the main site yesterday some knowledgable guys from the honeynet project have identified the signatures of Conficker, so we can now try and indentify infections.
I am focusing on testing this with NMAP as its free, so here are some links to read as I dont currently have time to do the write ups, sorry.
http://blog.commandlinekungfu.com/2009/03/episode-16-got-that-patch.html
http://seclists.org/nmap-dev/2009/q1/index.html
http://www.skullsecurity.org/blog/?p=209
Nmap 4.85BETA5
o Ron (in just a few hours of furious coding) added remote detection
of the Conficker worm to smb-check-vulns. It is based on new
research by Tillmann Werner and Felix Leder. You can scan your
network for Conficker with a command like: nmap -PN -T4 -p139,445 -n
-v –script=smb-check-vulns –script-args safe=1 [targetnetworks]
If you want to use the Simple Conficker Scanner, which you can also do bulk scans from a txt file, download the latest version here.
scs <start-ip> <end-ip> | <ip-list-file>
