Using Nmap to find Conficker Worm Infections
The Conficker worm was first detected around November of 2008. Although Microsoft has long since released a patch for this vulnerability entitled MS-0687 there are still a astounding amount of computers that are getting infected with Conficker due to the MS-0687 vulnerability.
For those of you who are not very familiar with Nmap it is a port scanner which has become a industry standard in the security community. Recently Fydor (Creator of Nmap) added some extremely useful functionality to Nmap in the form of a scripting engine. The scripting portion of Nmap is written in the Lua programming language which is a relatively simple language to pick up if you have any programming experience. The way it works is users submit scripts they have written to tackle network problems the face on a daily basis and they are submitted to nmap via svn repository and then once they have been approved they are added to Nmap’s script database. If you are using a version of Nmap more recent then 4.76 then you have the Nmap scripting engine in your release. If you are interested in learning more about the scripting features of Nmap you can see the section from the namp book online here.
There is a script which is included in the default release of nmap which makes it very easy to rapidly scan large sub-nets for unpatched computers which still are exploitable using MS-0687 or the Conficker worm. In order to use the script just fire up a terminal in whichever Operating System you are using and enter this command:
Example of using the Nmap Scripting Engine:
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:Documents and Settingsr00t>nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns 192.168.1.197
You can change the target which in this case is 192.168.1.197 to whatever IP address you are scanning or a complete net-mask like 220.127.116.11/24 or 192.168.1.1-255. A sample output of this command would look like this:
C:Documents and Settingsr00t>nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns 192.168.1.197 Starting Nmap 5.00 ( http://nmap.org ) at 2009-10-22 15:42 Eastern Daylight Time NSE: Loaded 1 scripts for scanning. Initiating ARP Ping Scan at 15:42 Scanning 192.168.1.197 [1 port] Completed ARP Ping Scan at 15:42, 0.19s elapsed (1 total hosts) Initiating SYN Stealth Scan at 15:42 Scanning 192.168.1.197 [2 ports] Discovered open port 445/tcp on 192.168.1.197 Discovered open port 139/tcp on 192.168.1.197 Completed SYN Stealth Scan at 15:42, 0.02s elapsed (2 total ports) NSE: Script scanning 192.168.1.197. NSE: Starting runlevel 2 scan Initiating NSE at 15:42 Completed NSE at 15:42, 20.13s elapsed NSE: Script Scanning completed. Host 192.168.1.197 is up (0.0038s latency). Interesting ports on 192.168.1.197: PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:1F:D0:81:61:95 (Giga-byte Technology Co.) Host script results: | smb-check-vulns: | MS08-067: LIKELY VULNERABLE (host stopped responding) | Conficker: Likely CLEAN |_ regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run) Read data files from: C:Program FilesNmap Nmap done: 1 IP address (1 host up) scanned in 21.36 seconds Raw packets sent: 3 (130B) | Rcvd: 3 (130B)
As you can see my target system is not infected with the Conficker worm however its possible my system is still vulnerable to the MS-0687 bug so this would require urgent attention from the network administrator. The ‘ –script-args=unsafe=1′ can also be added to the command to add a extra check for Denial of Service but I do not recommend doing this in any sort of production environment.