Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Locate Conficker infected hosts with a network scan! - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Locate Conficker infected hosts with a network scan!

The Honeynet Project has discovered an anomaly in Conficker that makes it possible to detect infected hosts with an elaborate fingerprint scan over the network. This is great news if you suspect an infection and have no other means to check, or if you simply want to double-check information that your other defense mechanisms (IDS, AntiVirus, etc) provide.

The write-up and scanning tool are available on the Honeynet Website.

Daniel

367 Posts
ISC Handler
What's the chances of a false positive? Any chance of the Python package getting me a bloody nose if I run the red flag up, based on its output ? From my reading, it does appear to scan for a specific response from a specific packet, but just wondering.. Thanks
lansalot

18 Posts
Hi, http://www.doxpara.com/?p=1285 mentions that they expect tools to scan the network from mcafee, qualys soon. Havent found any Win binaries yet. Anyone know better?
Michael

32 Posts
there's also a nessus plugin, ID: 36036, if you're licensed. also available as an nmap script, smb-check-vulns.nse
Ken

40 Posts
Symantec Endpoint Protection detects and blocks the Conficker scan, both at the source workstation and the destination. If you run this on a network with SEP installed with Network Threat Protection enabled you will generate a lot of alerts.
Shawn

29 Posts
Is something happening to download.insecure.org? maybe somebody updating files? maybe somebody causing problems?
i am getting a 403 message saying that there is additionally a 404 message.
Algis

5 Posts

Sign Up for Free or Log In to start participating in the conversation!