Scanning for Confiker via nmap

[paul at pauldotcom.com (Paul Asadoorian)]

Its also in Nessus (home feed too):

Plugin: http://www.nessus.org/plugins/index.php?view=single&id=36036

Updated as of thia AM with latest info (so update plugins first).
Another good source for detection:

http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

Example:

./nessuscmd -p445 -U -V -i 36036 192.168.1.0/24

Cheers,
Paul

John Sawyer wrote:
> The Conficker check is in the latest SVN version of Nmap. It's in the
> smb-check-vulns.nse which now checks for Conficker, MS08-067 and a
> regsvc DoS.
>
> nmap --script smb-check-vulns.nse -p445
>
> For safety's sake, you might want to also run it with
> --script-args=unsafe=1 to prevent possible crashes from the regsvc
> check. That should not turn off the conficker check.
>
> -jhs
>
> On Mar 30, 2009, at 11:10 AM, Chris Merkel wrote:
>
> > According to this:
> > http://www.theregister.co.uk/2009/03/30/conficker_signature_discovery/
> >
> > A script should be released today to scan for conficker-infected
> > machines over the wire.
> >
> > I looked at the NSE portal and haven't seen anything yet - would it
> > show up there, or is there a development site or repository where this
> > will first appear?
> >
> > I'd like to get a scan in before April 1st, when variant C drops.
> >
> > -- 
> > - Chris Merkel
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com>
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

-- 
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552