funsec mailing list archives

Re: question on scanning for conflicker

From: <Toralv_Dirro () McAfee com>
Date: Tue, 31 Mar 2009 22:03:45 -0500


There is a minor difference in how a machine patched for real against MS08-067 and a machine infected with Conficker, 
patching the vulnerability partly react.

All this just surfaced this weekend.

On the site you quote you find all details and some python scripts implementing it.


cheers,
Toralv

-----Original Message-----
From: funsec-bounces () linuxbox org
[mailto:funsec-bounces () linuxbox org] On Behalf Of RandallM
Sent: Mittwoch, 1. April 2009 03:14
To: funsec
Cc: Michael Quinn; Brent/work
Subject: [funsec] question on scanning for conflicker

what is a common thing to notice about scanning for
conflicker? One site said a simple scan can disquish between
clean and unclean ..:

"Another option is to actively scan for Conficker machines.
There is a way to distinguish infected machines from clean
ones based on the error code for some specially crafted RPC
messages. Conficker tries to filter out further exploitation
attempts which results in uncommon responses"
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker

Therefore, does this mean it gives what kind of response
back..closes the response or what? What "error code " will it produce?

Some results I did today using Nmap had some close it and
others doing an syn-ack back

one result:

Host 10.0.1.40 appears to be up ... good.
Scanned at 2009-03-31 15:19:19 Central Daylight Time for 2s
Interesting ports on 10.0.1.40:
PORT    STATE  SERVICE      REASON
445/tcp closed microsoft-ds reset
Final times for host: srtt: 0 rttvar: 5000  to: 100000

and then another was:

Host colossus.magnet.local (10.0.1.42) appears to be up ... good.
Scanned at 2009-03-31 15:19:19 Central Daylight Time for 4s
Interesting ports on colossus.magnet.local (10.0.1.42):
PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack

Host script results:
|  smb-check-vulns:
|  MS08-067: NOT RUN
|  Conficker: Likely CLEAN
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
Final times for host: srtt: 0 rttvar: 5000  to: 100000

if I understand the above results it seems the "reset" is my concern.
Others just said "no-response" meaning not open perhaps.

Anyone input for me?

--
been great, thanks
Big R a.k.a System
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


Firmensitz:     Muenchen
Amtsgericht:     AG Muenchen
Handelsregister:   HRB 144340
Geschaeftsfuehrer: Emmet Russell, Keith Krzeminski, Douglas Rice
Bankverbindung:   ABN-Amro Bank N.V. Konto 671 211 9006
UST-ID:   DE168122444

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

question on scanning for conflicker RandallM (Mar 31)
- Re: question on scanning for conflicker Toralv_Dirro (Mar 31)
- Re: question on scanning for conflicker Jason Ross (Mar 31)