What is the best way remotely to find Conficker infected PCs in company/ISP networks?
6 Answers
Run Microsoft's Malicious Software Removal tool. It is a stand-alone binary that is useful in the removal of prevalent malicious software, and it can help remove the Win32/Conficker malware family.
You can download the MSRT from either of the following Microsoft Web sites:
Read this Micosoft support article: Virus alert about the Win32/Conficker.B worm
UPDATE:
There is this web page which you could open. It should give a warning if there is a sign of conficker on the machine: http://four.cs.uni-bonn.de/fileadmin/user_upload/werner/cfdetector/
I almost forgot to mention this very nice "visual" approach: Conficker Eye Chart (I'm not sure if it will work in the future with modified version of the virus) - I'm not sure if it still works properly (update 06/2009):
If you can see all six images in both rows of the top table, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.
Network Scanner
eEye's Free Conficker Worm Network Scanner:
The Conficker worm utilizes a variety of attack vectors to transmit and receive payloads, including: software vulnerabilities (e.g. MS08-067), portable media devices (e.g. USB thumb drives and hard drives), as well as leveraging endpoint weaknesses (e.g. weak passwords on network-enabled systems). The Conficker worm will also spawn remote access backdoors on the system and attempt to download additional malware to further infect the host.
Download here: http://www.eeye.com/html/downloads/other/ConfickerScanner.html
Look also at this resource ("network scanner"): http://iv.cs.uni-bonn. de/wg/cs/applications/containing-conficker/. Search for "Network Scanner" and, if you're running Windows:
Florian Roth has compiled a Windows version which is available for download from his website [direct link to zip-download].
- 28,348
- 19
- 97
- 147
-
I asked how to detect PCs in network, not how to clear them. – Kazimieras Aliulis May 08 '09 at 13:34
-
The Removal Tool DOES DETECT them. As a nice side-effect, it clears them... ;-) – splattne May 08 '09 at 13:53
-
Ah, you mean REMOTELY? sorry. Now I understand. – splattne May 08 '09 at 13:54
-
If pc have a well configured firewall it will block 139 and 445 ports, so it is not 100% effective, but most of machines can be detected. Sad, that intrusion detection signatures are only for A and B versions. Domain checking is in part a viable solution, too. – Kazimieras Aliulis May 09 '09 at 08:56
The latest version of nmap
has the ability to detect all (current) variants of Conficker by detecting the otherwise almost invisible changes that the worm makes to the port 139 and port 445 services on infected machines.
This is (AFAIK) the easiest way to do a network based scan of your whole network without visiting each machine.
- 20,901
- 3
- 48
- 81
-
If pc have a well configured firewall it will block from 139 and 445 ports, so it is not 100% effective, but most of machines can be detected. – Kazimieras Aliulis May 09 '09 at 08:45
-
If the PC had a well configured firewall it probably wouldn't have been infected in the first place... – Alnitak May 09 '09 at 09:13
-
You should be aware that certain portions of the smb-check-vulns tests included in nmap are liable to crash infected machines. Which may be best avoided in a production environment. – Dan Carley Jun 02 '09 at 11:26
-
crashing infected machines sounds like a win, to me :) Crashing uninfected machines would be real bad, though... – Alnitak Jun 02 '09 at 13:38
There is a Python tool called SCS that you can launch from your workstation, and you can find it here: http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
It goes this way on my workstation:
Usage:
scs.py <start-ip> <end-ip> | <ip-list-file>
andor@alvaroportatil:~/Escritorio/scs$ python scs.py 10.180.124.50 10.180.124.80
----------------------------------
Simple Conficker Scanner
----------------------------------
scans selected network ranges for
conficker infections
----------------------------------
Felix Leder, Tillmann Werner 2009
{leder, werner}@cs.uni-bonn.de
----------------------------------
No resp.: 10.180.124.68:445/tcp.
10.180.124.72 seems to be clean.
10.180.124.51 seems to be clean.
10.180.124.70 seems to be clean.
10.180.124.53 seems to be clean.
10.180.124.71 seems to be clean.
10.180.124.69 seems to be clean.
10.180.124.52 seems to be clean.
No resp.: 10.180.124.54:445/tcp.
No resp.: 10.180.124.55:445/tcp.
No resp.: 10.180.124.61:445/tcp.
No resp.: 10.180.124.56:445/tcp.
No resp.: 10.180.124.57:445/tcp.
No resp.: 10.180.124.58:445/tcp.
No resp.: 10.180.124.60:445/tcp.
No resp.: 10.180.124.67:445/tcp.
No resp.: 10.180.124.62:445/tcp.
No resp.: 10.180.124.63:445/tcp.
No resp.: 10.180.124.64:445/tcp.
No resp.: 10.180.124.65:445/tcp.
No resp.: 10.180.124.66:445/tcp.
No resp.: 10.180.124.76:445/tcp.
No resp.: 10.180.124.74:445/tcp.
No resp.: 10.180.124.75:445/tcp.
No resp.: 10.180.124.79:445/tcp.
No resp.: 10.180.124.77:445/tcp.
No resp.: 10.180.124.78:445/tcp.
No resp.: 10.180.124.80:445/tcp.
- 581
- 5
- 16
This page has lots of useful resources, including a quick visual summary of whether you're infected...
- 1,064
- 1
- 14
- 21
OpenDNS will warn of PCs it thinks are infected. Although as splattne said, MSRT is most likely the best option.
- 7,147
- 2
- 28
- 42
-
Company policy does not allow to use OpenDNS it must be at home solution. – Kazimieras Aliulis May 08 '09 at 13:36
We're currently finding them by noticing which machines are listed in event logs of other machines for LSA policy violations. Specifically IN the Event log Source LsaSrv error 6033. The machine making the anonymous session connections that are being denied are conficker infected.
- 2,825
- 1
- 26
- 24