Educause Security Discussion mailing list archives
Re: Conflicker/NMAP
From: Daniel Bennett <dbennett () PCT EDU>
Date: Tue, 31 Mar 2009 18:36:47 -0400
The free version of Nesus does not contain the plugin for Conflicker, correct? ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ken Connelly [Ken.Connelly () UNI EDU] Sent: Tuesday, March 31, 2009 4:21 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Conflicker/NMAP Thanks, Jerry! Did you run the Nessus plugin from within Nessus or from the command line via nasl? - ken Jerry Sell wrote:
I have a result to report. Nessus and the scs scanner both found 1 instance of Confickr, the NMAP script did not. Those of you who used the NMAP scanner, may want to look at something else. Nessus seems to be much faster than the scs scanner. Thank you, Jerry Sell, CISSP Security Analyst Brigham Young University (801)422-2730 Jerry_Sell () byu edu <mailto:Jerry_Sell () byu edu> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Dean De Beer *Sent:* Tuesday, March 31, 2009 12:23 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Conflicker/NMAP The python scanner is checking for the signature returned by the conficker patch of the vuln. From the paper: "All of the three considered Conficker variants return the error code for "invalid parameters" (87) in case they either find a \..\ in the path or if the path is longer than 200 wide characters..." The malware hooks the NetpwPathCanonicalize() function but I think if it's a legit patch then the error msg that is returned should not be the conficker error code, so if those systems were already legitimately patched you would not detect them as infected but they may still be infected by one of the other vectors the worm uses. /dean On Tue, Mar 31, 2009 at 10:53 AM, Pete Hickey <pete () shadows uottawa ca <mailto:pete () shadows uottawa ca>> wrote: I've used the Python thing and I seem to have had success. At least the machines turned up make sense. I've been regularly monitoring machines scanning on port 445, and have ASSUMED that these were conficker infected. They were infected with something, and were cleaned.... at least in threory. There were some repeat offenders. Either the owner didn't know how to clean them, or they were not patched properly, or something. Everry machine that my python scanner picked up was one that had been prreviously identified as infected severtal times (one lab, and about 5 other machines). WHile I'm fairly confident that it is not returning any false positives, I am not sure it is detecting everything, as today, after that scan, I have found several infected-with-something machines scanning on 445. Yes it could be something else. Unfortunately I don't get feedback when machines are cleaned. On Tue, Mar 31, 2009 at 09:21:35AM -0500, Consolvo, Corbett D wrote:I realize many folks may not want to answer this, but has anyone hadmany positives/infections with the released nmap scan for Conflicker? So far we seem to be coming up clean and many other folks I've talked to or emailed with have come up clean as well. I'm just concerned about the possibility of false negatives. Of course, the problem may not be particularly wide-spread except in the eyes of some media outlets.Thanks, Corbett Consolvo Texas State University-- Pete Hickey There are only two kinds of people who The University of Ottawa are really fascinating: Ottawa, Ontario People who know absolutely everything, Canada and people who know absolutely nothing.
-- - Ken ================================================================= Ken Connelly Associate Director, Security and Systems ITS Network Services University of Northern Iowa email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373
Current thread:
- Re: Conflicker/NMAP, (continued)
- Re: Conflicker/NMAP Roger Safian (Mar 31)
- Re: Conflicker/NMAP Dennis Meharchand (Mar 31)
- Re: Conflicker/NMAP Dean De Beer (Mar 31)
- Re: Conflicker/NMAP Jerry Sell (Mar 31)
- Re: Conflicker/NMAP Ken Connelly (Mar 31)
- Re: Conflicker/NMAP Jerry Sell (Mar 31)
- Re: Conflicker/NMAP Stanclift, Michael (Mar 31)
- Re: Conflicker/NMAP Joseph Clark (Mar 31)
- Re: Conflicker/NMAP James R. Pardonek (Mar 31)
- Re: Conflicker/NMAP John Sawyer (Mar 31)
- Re: Conflicker/NMAP Daniel Bennett (Mar 31)
- Re: Conflicker/NMAP David Boyer (Mar 31)