Home > Security > More Conficker Toolage

More Conficker Toolage

There be news!

First off, the Honeynet Project has released Know Your Enemy:  Containing Conficker.  Tillmann and Felix have done a tremendous job of analyzing Conficker, and their paper makes for a great read.  Plus, you get to find out exactly what Conficker is doing differently on the anonymous network surface.

Secondly, nmap has released 4.85Beta5 (Windows, OSX, Source), with the Conficker detection logic.  Cool, no more hacking up Beta4.

Please, be careful to actually use –script-args=safe=1 , like so:

nmap -PN -d -p 445 –script=smb-check-vulns –script-args=safe=1 1.2.3.4

Third, I’ve rebuilt the py2exe versions of Tillmann and Felix’s scs code, now with Core’s impacket library safely embedded.  See here.  Source code, of course, is at their site (see scs.zip).

Finally, commercial scanning products continue to make steady progress protecting their customers, with nCircle and Qualys coming online.

There’s something else cool, but I’m pretty exhausted.  More in the morn.

Categories: Security
  1. March 31, 2009 at 12:54 pm

    Dan, been playing here and it seems that (with the .C variant of Conficker) if a host has been compromised but hasn’t rebooted since, they’ll show clean (using the scanner.py script from Felix & Tillman). I presume this is true for other tools which implement this method also. Not a huge issue maybe, but it could be worth noting that there may be some infected hosts which are overlooked for an organization relying on these tools to detect compromised hosts.

  2. K Russell
    April 1, 2009 at 12:11 am

    Thanks for this program! Much appreciated!

    I kept getting the error ‘the system cannot execute the specified program’ on a pretty bare Windows XP SP3 copy with only .NET 1.1 installed. Found out by using Filemon that it needed the Microsoft Visual C++ 2008 SP1 Redistributable:

    http://www.microsoft.com/downloads/details.aspx?familyid=A5C84275-3B97-4AB7-A40D-3802B2AF5FC2&displaylang=en

    Once installed, no reboot required. Works like a champ now! Thanks again.

    Kevin

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: