Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Locate Conficker infected hosts with a network scan! - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Locate Conficker infected hosts with a network scan!

The Honeynet Project has discovered an anomaly in Conficker that makes it possible to detect infected hosts with an elaborate fingerprint scan over the network. This is great news if you suspect an infection and have no other means to check, or if you simply want to double-check information that your other defense mechanisms (IDS, AntiVirus, etc) provide.

The write-up and scanning tool are available on the Honeynet Website.


385 Posts
ISC Handler
Mar 30th 2009
What's the chances of a false positive? Any chance of the Python package getting me a bloody nose if I run the red flag up, based on its output ? From my reading, it does appear to scan for a specific response from a specific packet, but just wondering.. Thanks

23 Posts
Hi, mentions that they expect tools to scan the network from mcafee, qualys soon. Havent found any Win binaries yet. Anyone know better?

32 Posts
there's also a nessus plugin, ID: 36036, if you're licensed. also available as an nmap script, smb-check-vulns.nse

40 Posts
Symantec Endpoint Protection detects and blocks the Conficker scan, both at the source workstation and the destination. If you run this on a network with SEP installed with Network Threat Protection enabled you will generate a lot of alerts.

29 Posts
Is something happening to maybe somebody updating files? maybe somebody causing problems?
i am getting a 403 message saying that there is additionally a 404 message.

5 Posts

Sign Up for Free or Log In to start participating in the conversation!