More Conficker Toolage
There be news!
First off, the Honeynet Project has released Know Your Enemy: Containing Conficker. Tillmann and Felix have done a tremendous job of analyzing Conficker, and their paper makes for a great read. Plus, you get to find out exactly what Conficker is doing differently on the anonymous network surface.
Secondly, nmap has released 4.85Beta5 (Windows, OSX, Source), with the Conficker detection logic. Cool, no more hacking up Beta4.
Please, be careful to actually use –script-args=safe=1 , like so:
nmap -PN -d -p 445 –script=smb-check-vulns –script-args=safe=1 1.2.3.4
Third, I’ve rebuilt the py2exe versions of Tillmann and Felix’s scs code, now with Core’s impacket library safely embedded. See here. Source code, of course, is at their site (see scs.zip).
Finally, commercial scanning products continue to make steady progress protecting their customers, with nCircle and Qualys coming online.
There’s something else cool, but I’m pretty exhausted. More in the morn.
Dan Kaminsky's Blog 
Dan, been playing here and it seems that (with the .C variant of Conficker) if a host has been compromised but hasn’t rebooted since, they’ll show clean (using the scanner.py script from Felix & Tillman). I presume this is true for other tools which implement this method also. Not a huge issue maybe, but it could be worth noting that there may be some infected hosts which are overlooked for an organization relying on these tools to detect compromised hosts.
Thanks for this program! Much appreciated!
I kept getting the error ‘the system cannot execute the specified program’ on a pretty bare Windows XP SP3 copy with only .NET 1.1 installed. Found out by using Filemon that it needed the Microsoft Visual C++ 2008 SP1 Redistributable:
http://www.microsoft.com/downloads/details.aspx?familyid=A5C84275-3B97-4AB7-A40D-3802B2AF5FC2&displaylang=en
Once installed, no reboot required. Works like a champ now! Thanks again.
Kevin