Re: Conflicker/NMAP

[John Sawyer <jsawyer () UFL EDU>]

If you want to make Nessus even faster than the default (which is
extremely slow compared to Nmap), then use the following. This was put
together by the Nessus developer. On a class C, it nearly cut my time
in half.

./nessuscmd -p445 -i36036 -omax_hosts=64 -o"Do not scan fragile
devices[checkbox]:Scan Network Printers"=yes <YOUR_NET>

-jhs

On Mar 31, 2009, at 4:08 PM, Jerry Sell wrote:

> I have a result to report. Nessus and the scs scanner both found 1
> instance of Confickr, the NMAP script did not. Those of you who used
> the NMAP scanner, may want to look at something else.
>
> Nessus seems to be much faster than the scs scanner.
>
> Thank you,
>
> Jerry Sell, CISSP
> Security Analyst
> Brigham Young University
> (801)422-2730
> Jerry_Sell () byu edu
>
>
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU
> ] On Behalf Of Dean De Beer
> Sent: Tuesday, March 31, 2009 12:23 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Conflicker/NMAP
>
> The python scanner is checking for the signature returned by the
> conficker patch of the vuln.
>
> From the paper:
>  "All of the three considered Conficker variants return the error
> code for "invalid parameters" (87) in case they either find a \..\
> in the path or if the
> path is longer than 200 wide characters..."
>
> The malware hooks the NetpwPathCanonicalize() function but I think
> if it's a legit patch then the error msg that is returned should not
> be the conficker error code, so if those systems were already
> legitimately patched you would not detect them as infected but they
> may still be infected by one of the other vectors the worm uses.
>
> /dean
> On Tue, Mar 31, 2009 at 10:53 AM, Pete Hickey
> <pete () shadows uottawa ca> wrote:
> I've used the Python thing and I seem to have had success.  At least
> the machines
> turned up make sense.
>
> I've been regularly monitoring machines scanning on port 445, and have
> ASSUMED that these were conficker infected.  They were infected with
> something, and were cleaned.... at least in threory.
>
> There were some repeat offenders.  Either the owner didn't know how
> to clean
> them, or they were not patched properly, or something.
>
> Everry machine that my python scanner picked up was one that had been
> prreviously identified as infected severtal times (one lab, and about
> 5 other machines).
>
> WHile I'm fairly confident that it is not returning any false
> positives, I
> am not sure it is detecting everything, as today, after that scan, I
> have found several infected-with-something machines scanning on
> 445.  Yes
> it could be something else.  Unfortunately I don't get feedback when
> machines are cleaned.
>
> On Tue, Mar 31, 2009 at 09:21:35AM -0500, Consolvo, Corbett D wrote:
> > I realize many folks may not want to answer this, but has anyone
> had many positives/infections with the released nmap scan for
> Conflicker?  So far we seem to be coming up clean and many other
> folks I've talked to or emailed with have come up clean as well.
> I'm just concerned about the possibility of false negatives.  Of
> course, the problem may not be particularly wide-spread except in
> the eyes of some media outlets.
> >
> > Thanks,
> > Corbett Consolvo
> > Texas State University
> --
> Pete Hickey                         There are only two kinds of
> people who
> The University of Ottawa            are really fascinating:
> Ottawa, Ontario                     People who know absolutely
> everything,
> Canada                              and people who know absolutely
> nothing.