funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: question on scanning for conflicker

From: Ron <ron () skullsecurity net>
Date: Tue, 31 Mar 2009 22:55:12 -0500
RandallM wrote:

what is a common thing to notice about scanning for conflicker? One
site said a simple scan can disquish between clean and unclean ..:

"Another option is to actively scan for Conficker machines. There is a
way to distinguish infected machines from clean ones based on the
error code for some specially crafted RPC messages. Conficker tries to
filter out further exploitation attempts which results in uncommon
responses"
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker


Therefore, does this mean it gives what kind of response back..closes
the response or what? What "error code " will it produce?


Some results I did today using Nmap had some close it and others doing
an syn-ack back


one result:

Host 10.0.1.40 appears to be up ... good.
Scanned at 2009-03-31 15:19:19 Central Daylight Time for 2s
Interesting ports on 10.0.1.40:
PORT    STATE  SERVICE      REASON
445/tcp closed microsoft-ds reset
Final times for host: srtt: 0 rttvar: 5000  to: 100000

and then another was:

Host colossus.magnet.local (10.0.1.42) appears to be up ... good.
Scanned at 2009-03-31 15:19:19 Central Daylight Time for 4s
Interesting ports on colossus.magnet.local (10.0.1.42):
PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack

Host script results:
|  smb-check-vulns:
|  MS08-067: NOT RUN
|  Conficker: Likely CLEAN
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
Final times for host: srtt: 0 rttvar: 5000  to: 100000



if I understand the above results it seems the "reset" is my concern.
Others just said "no-response" meaning not open perhaps.

Anyone input for me?



Hi Randall,

The Conficker worm will actually try to patch MS08-067, similar to how
Microsoft does, in a jury-rigged way. That patch can be detected because
the return code is different from Microsoft's. So, you call the
vulnerable function over MSRPC (NetPathCanonicalize()) and check the
return -- if it was success, the system is vulnerable to Ms08-067. If it
failed with 0x57, Connficker likely patched it. If it fails with the
proper value (INVALID_PARAMETER iirc, I forget the code), you have
Microsoft's patch.

Port 445 being closed isn't a sign of Conficker. Some people seem to
have run into that, but I can't explain it.

Here's a bit of my code from smb-check-vulns.nse:
    if(status == false) then
        if(string.find(netpathcompare_result, "UNKNOWN_57") ~= nil) then
            return true, INFECTED
        elseif(string.find(netpathcompare_result, "INVALID_NAME") ~=
nil) then
            return true, PATCHED
        else
io.write(string.format("\n\n%s\n\n", netpathcompare_result))
            return true, UNKNOWN
        end
    end
--

Hope that helps!
Ron

PS: My posts don't seem to end up on the mailing list. Am I doing
something wrong, or am I being moderated?

-- 
Ron Bowes
http://www.skullsecurity.org/
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: