Scanners and utilities to detect Conficker worm

Conficker, also known as Downup, Downadup and Kido, is a computer worm that surfaced in October 2008 and targets the Microsoft Windows operating system. The worm exploits a previously patched vulnerability in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Windows 7 Beta, and Windows Server 2008 R2 Beta. The worm has been unusually difficult for network operators and law enforcement to counter because of its combined use of advanced malware techniques.

The worm exploitsMS08-67 unpatched servers.

- The Conficker worm related vulnerability identification

Here are some tools and utilities used to identify and tocontain the Conficker worm. Meanwhile, US-CERT raises a National Cyber Alert (TA09-088A)

The domain names of different Conficker variants can be used to detect infected machines in a network. Inspired by the "downatool" from MHL and B. Enright, we have developed Downatool2. It can be used to generate domains for Downadup/Conficker.A, .B, and .C.

It is hard to identify files containing Conficker because the executable are packed and encrypted. When Conficker runs in memory it is fully unpacked. The memory disinfector scans the memory of every running process in the system and terminates Conficker threads without touching the process it runs in. This helps to keep the system services running

  • Network Scanners
  • Executable release
  • Python version
  • Nessus Plugin (plugin 36036) to detect Conficker (conficker_detect.nasl) (included)
  • Nmap 4.85beta5 using this command line nmap -PN -T4 -p139,445 -n
    -v —script=smb-check-vulns —script-args safe=1 [targetnetworks]

Attached Documents

Compliance Mandates

  • Network Discovery :

    PCI DSS 11.2, SOX A13.3, GLBA 16CFR Part 314.4(c), HIPAA 164.308(a)(8), FISMA RA-5

  • Vulnerability Scanner :

    PCI DSS 11.2, 6.6, SOX A13.3, GLBA 16CFR Part 314.4(c), HIPAA 164.308(a)(8), FISMA RA-5, SI-2, ISO 27001-27002 12.6, 15.2.2


Related Articles

Configurations checks
Local auditing
Network Discovery
Vulnerability Scanner