Wednesday, April 15, 2009

conficker worm infection detection

There is a simple check that can be done to see if any computer in the office is infected with the conficker / downadup worm / virus. When a computer is infected it is blocked from accessing certain security related sites. The following 3 sites I've heard are among those blocked.

http://update.microsoft.com/ - this one won't work unless you use Internet Explorer.

This is just another level of checking. Your antivirus should keep the infection out and you can also use nmap 4.85 beta 6 or newer to detect the presence of the virus / worm in a LAN using this specific scan:

nmap -sC -p 445 -d -n -oA conficker_scan -PN --script smb-check-vulns --script-args unsafe=1 192.168.1.1-254 (use your ip range here)

or

nmap -sC -p 445 -d -n -oA conficker_scan -PN --script smb-check-vulns --script-args smbdomain={your domain},smbuser={domain admin},smbpass={password},unsafe=1 192.168.1.1-254 (use your ip range here)

nmap is a great free tool as it can very quickly scan a whole subnet for a variety issues. The biggest hurdle is learning the many options for scanning on the command line. You can also use zenmap the windows GUI interface to the tool.