Using Nmap to find Conficker Worm Infections

The Conficker worm was first detected around November of 2008. Although Microsoft has long since released a patch for this vulnerability entitled MS-0687 there are still a astounding amount of computers that are getting infected with Conficker due to the MS-0687 vulnerability.

For those of you who are not very familiar with Nmap it is a port scanner which has become a industry standard in the security community.  Recently Fydor (Creator of Nmap) added some extremely useful functionality to Nmap in the form of a scripting engine. The scripting portion of Nmap is written in the Lua programming language which is a relatively simple language to pick up if you have any programming experience. The way it works is users submit scripts they have written to tackle network problems the face on a daily basis and they are submitted to nmap via svn repository and then once they have been approved they are added to Nmap’s script database. If you are using a version of Nmap more recent then 4.76 then you have the Nmap scripting engine in your release.  If  you are interested in learning more about the scripting features of Nmap you can see the section from the namp book online here.

There is a script which is included in the default release of nmap which makes it very easy to rapidly scan large sub-nets for unpatched computers which still are exploitable using MS-0687 or the Conficker worm. In order to use the script just fire up a terminal in whichever Operating System you are using and enter this command:

Example of using the Nmap Scripting Engine:


Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:Documents and Settingsr00t>nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns 192.168.1.197

You can change the target which in this case is 192.168.1.197 to whatever IP address you are scanning or a complete net-mask like 192.167.1.0/24 or 192.168.1.1-255. A sample output of this command would look like this:

C:Documents and Settingsr00t>nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns 192.168.1.197

Starting Nmap 5.00 ( http://nmap.org ) at 2009-10-22 15:42 Eastern Daylight Time

NSE: Loaded 1 scripts for scanning.
Initiating ARP Ping Scan at 15:42
Scanning 192.168.1.197 [1 port]
Completed ARP Ping Scan at 15:42, 0.19s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 15:42
Scanning 192.168.1.197 [2 ports]
Discovered open port 445/tcp on 192.168.1.197
Discovered open port 139/tcp on 192.168.1.197
Completed SYN Stealth Scan at 15:42, 0.02s elapsed (2 total ports)
NSE: Script scanning 192.168.1.197.
NSE: Starting runlevel 2 scan
Initiating NSE at 15:42
Completed NSE at 15:42, 20.13s elapsed
NSE: Script Scanning completed.
Host 192.168.1.197 is up (0.0038s latency).
Interesting ports on 192.168.1.197:
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:1F:D0:81:61:95 (Giga-byte Technology Co.)

Host script results:
|  smb-check-vulns:
| MS08-067: LIKELY VULNERABLE (host stopped responding)
|  Conficker: Likely CLEAN
|_ regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)

Read data files from: C:Program FilesNmap
Nmap done: 1 IP address (1 host up) scanned in 21.36 seconds
Raw packets sent: 3 (130B) | Rcvd: 3 (130B)

As you can see   my target system is not infected with the Conficker worm however its possible my system is still vulnerable to the MS-0687 bug so this would require urgent attention from the network administrator.  The ‘ –script-args=unsafe=1′ can also be added to the command to add a extra check for Denial of Service but I do not recommend doing  this in any sort of production environment.

Share