Re: Conflicker/NMAP

[Daniel Bennett <dbennett () PCT EDU>]

The free version of Nesus does not contain the plugin for Conflicker, correct?

________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ken Connelly 
[Ken.Connelly () UNI EDU]
Sent: Tuesday, March 31, 2009 4:21 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Conflicker/NMAP

Thanks, Jerry!  Did you run the Nessus plugin from within Nessus or from
the command line via nasl?

- ken

Jerry Sell wrote:
> I have a result to report. Nessus and the scs scanner both found 1
> instance of Confickr, the NMAP script did not. Those of you who used
> the NMAP scanner, may want to look at something else.
>
>
>
> Nessus seems to be much faster than the scs scanner.
>
>
>
> Thank you,
>
>
>
> Jerry Sell, CISSP
>
> Security Analyst
>
> Brigham Young University
>
> (801)422-2730
>
> Jerry_Sell () byu edu <mailto:Jerry_Sell () byu edu>
>
>
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Dean De Beer
> *Sent:* Tuesday, March 31, 2009 12:23 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Conflicker/NMAP
>
>
>
> The python scanner is checking for the signature returned by the
> conficker patch of the vuln.
>
> From the paper:
>  "All of the three considered Conficker variants return the error code
> for "invalid parameters" (87) in case they either find a \..\ in the
> path or if the
> path is longer than 200 wide characters..."
>
> The malware hooks the NetpwPathCanonicalize() function but I think if
> it's a legit patch then the error msg that is returned should not be
> the conficker error code, so if those systems were already
> legitimately patched you would not detect them as infected but they
> may still be infected by one of the other vectors the worm uses.
>
> /dean
>
> On Tue, Mar 31, 2009 at 10:53 AM, Pete Hickey <pete () shadows uottawa ca
> <mailto:pete () shadows uottawa ca>> wrote:
>
> I've used the Python thing and I seem to have had success.  At least
> the machines
> turned up make sense.
>
> I've been regularly monitoring machines scanning on port 445, and have
> ASSUMED that these were conficker infected.  They were infected with
> something, and were cleaned.... at least in threory.
>
> There were some repeat offenders.  Either the owner didn't know how to
> clean
> them, or they were not patched properly, or something.
>
> Everry machine that my python scanner picked up was one that had been
> prreviously identified as infected severtal times (one lab, and about
> 5 other machines).
>
> WHile I'm fairly confident that it is not returning any false positives, I
> am not sure it is detecting everything, as today, after that scan, I
> have found several infected-with-something machines scanning on 445.  Yes
> it could be something else.  Unfortunately I don't get feedback when
> machines are cleaned.
>
>
> On Tue, Mar 31, 2009 at 09:21:35AM -0500, Consolvo, Corbett D wrote:
> > I realize many folks may not want to answer this, but has anyone had
> many positives/infections with the released nmap scan for Conflicker?
>  So far we seem to be coming up clean and many other folks I've talked
> to or emailed with have come up clean as well.  I'm just concerned
> about the possibility of false negatives.  Of course, the problem may
> not be particularly wide-spread except in the eyes of some media outlets.
> > Thanks,
> > Corbett Consolvo
> > Texas State University
>
> --
> Pete Hickey                         There are only two kinds of people who
> The University of Ottawa            are really fascinating:
> Ottawa, Ontario                     People who know absolutely everything,
> Canada                              and people who know absolutely
> nothing.

--
- Ken
=================================================================
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373