Simple Conficker Scanner tool released – find the infected machines
Posted by: Troy Tate
anti-virus, antivirus, Conficker, detection, diagnostic tools, honeynet, ms08-067, patches, scanning, vulnerability, vulnerability scanning
A Simple Conficker Scanner (SCS) tool has been released by members of the Honeynet Project. This tool can be run under linux or Windows. It runs a specially crafted RPC query against a host or range of IP addresses. The tool will tell if systems are clean or potentially infected. I am running this tool against hosts on my network and I found a Windows 2000 server apparently infected by Conficker. I am in the process of clean-up on that host. It looks like a couple of things contributed to the infection on this computer:
1. Out of date anti-virus. The antivirus signatures had not been updated since January 2008.
2. Microsoft patches not applied.
Folks, the advice about maintaining up-to-date AV and applying patches is good advice. Heed the warnings and save yourself some troubles of clean-up. I will be having a discussion with my operations team about this situation and make it clear that we should have been prepared for this and this situation should not have arisen.
I am also following the advice from McAfee on Combating the Conficker worm
For more details on how the Conficker worm actually works, follow the links in my blog
The Conficker Analysis – are you ready for April 1?
Thanks for reading. Let’s continue to be good network citizens.
Comment
RSS Feed
Email a friend
