Using Nmap to scan for Conficker
As a result of the latest KYE paper (Containing Conficker), many of the scanner tools out there have implemented (or are in the process of doing so) the method presented in chapter 5 of the paper, which explains basically how you may remotely scan a machine, and have the machine tell you whether or not Conficker has compromised the system. The method works for all current Conficker variants and is indiscriminate of the infection vector!
Nmap was one of the first tools to implement this. Lets try it out!
Download the latest development release from http://download.insecure.org/nmap-dist/ (at the time of writing: 4.85BETA6) and the usual configure, make, sudo make install should to the trick, but in case you run into compile- or run-time errors you may want to check out this page. (If you face run-time complaints about openssl, you should follow this link). There’s also binaries available for Windows and OSX.
The following is an example of a basic scan for conficker
nmap -sC -PN -d -p445 --script=smb-check-vulns \
--script-args=safe=1 192.168.1.1
For large-scale scans, you may invoke nmap with some optimisations parameters as recommended here.
nmap -sC -PN -d -p445 -n -T4 --min-hostgroup 256 \
--min-parallelism 64 --script=smb-check-vulns \
--script-args=safe=1 10.0.0.0/8
In addition to the no-ping (PN) and port specific scan (p) we added no-dns-resolution (n), more aggressive timing controls (T) and parallel scanning with group of 256 hosts (with at least 64 simultaneously). The two latter parameters may be tuned even further for increased performance. The recommendation is to maintain a 4:1 ratio between the two values, and keep the upper limit to 4096/1024.
Using safe=1 as an argument sent to the script, the MS08-067 vulnerability is not really checked. Using unsafe=1 and it will be checked, however be aware of a possibility that the vulnerable server service may crash.
Here are some examples of the output from the script smb-check-vulns (with MS08-067 check enabled):
| MS08-067: LIKELY VULNERABLE (host stopped responding) | Conficker: Likely INFECTED | MS08-067: FIXED | Conficker: Likely CLEAN
…So, scan your network now, while it’s still possible.
July 19th, 2009 at 16:38
I use NMAP for many troubleshooting purpose. This feature is awesome. Thanks to Fyodor:-)
July 19th, 2009 at 19:22
Indeed! And now Nmap 5 has been released, with a huge number of improvements, bug fixes and new features (the conficker script remains naturally included).