Scanning for Confiker via nmap

[paul at pauldotcom.com (Paul Asadoorian)]

Okay, to better answer your question, the Nmap NSE script checks for:

* MS08-067, a Windows RPC vulnerability
* Conficker, an infection by the Conficker worm
* Unnamed regsvc DoS, a denial-of-service vulnerability I accidentically
found in Windows 2003

The NASL script in Nessus only checks for the presence of conficker
(conficker responds to certain RPC calls with specific error codes).

So, if you are scanning a large network (class B for example), I'd lean
towards the Nessus plugin if its speed your after.  Of course, its not a
 bad idea to check for the MS08-067 vulnerability while you're at it :)

Also, there is another Nessus plugin that will help detect Conficker:

http://www.nessus.org/plugins/index.php?view=single&id=35322

It detects:

"Regardless of the request that's made, the remote web server returns a
Microsoft executable."

Which is behavior exhibited by Conficker.A.

Cheers,
Paul

Albert R. Campa wrote:
> interesting, so not having looked at this yet, whats the difference
> between that and scanning with Nessus?
>
>
> __________________________________
> Albert R. Campa
>
>
> 2009/3/30 John Sawyer <jsawyer at ufl.edu <mailto:jsawyer at ufl.edu>>
>
>     The Conficker check is in the latest SVN version of Nmap. It's in
>     the smb-check-vulns.nse which now checks for Conficker, MS08-067 and
>     a regsvc DoS.
>
>     nmap --script smb-check-vulns.nse -p445
>
>     For safety's sake, you might want to also run it with
>     --script-args=unsafe=1 to prevent possible crashes from the regsvc
>     check. That should not turn off the conficker check.
>
>     -jhs
>
>     On Mar 30, 2009, at 11:10 AM, Chris Merkel wrote:
>
> >     According to this:
> >     http://www.theregister.co.uk/2009/03/30/conficker_signature_discovery/
> >
> >     A script should be released today to scan for conficker-infected
> >     machines over the wire.
> >
> >     I looked at the NSE portal and haven't seen anything yet - would it
> >     show up there, or is there a development site or repository where this
> >     will first appear?
> >
> >     I'd like to get a scan in before April 1st, when variant C drops.
> >
> >     -- 
> >     - Chris Merkel
> >     _______________________________________________
> >     Pauldotcom mailing list
> >     Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com>
> >     http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> >     Main Web Site: http://pauldotcom.com <http://pauldotcom.com/>
>
>
>     _______________________________________________
>     Pauldotcom mailing list
>     Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com>
>     http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>     Main Web Site: http://pauldotcom.com <http://pauldotcom.com/>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

-- 
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552