Conficker detection hints
We received some good responses regarding Conficker detection recently. Here are a couple of hints for people that are actively fighting infections on their networks.
First, you can look at your Windows domain controllers security event logs. Look for high numbers of Failure Events for logon attempts. This technique can be described in this Sophos KB article: http://www.sophos.com/support/knowledgebase/article/61259.html
Second, you can actively scan your network with nmap. (Of course, make sure you have explicit authorization from management including dates/times before running any scanning tools.) I recommend that you upgrade to the latest version (5.00) and give a command similar to the following:
nmap -PN -p139,445 -vv --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args=checkconficker=1,safe=1 -T4 [target_networks] >nmap-conficker-scan-results.txt
Finally, you may also be able to just monitor a few hosts on your network for unsolicited TCP 445 traffic. I like to do this with tcpdump from a *NIX box that is not employing Samba. This approach doesn't guarantee that you are seeing Conficker, but you will probably find some source hosts that should be investigated further.
Here is a link to our page of Conficker-related information: http://www.dshield.org/conficker. It lists additional discovery tools, removal tools, and research.
Update 1: Fellow handler Andre Ludwig points out some additional information about the above information. First, the nmap detection may only detect one or two variants of Conficker. The p2p-conficker.nse script states that it detects Conficker.c and higher. For a script that attempts to identify older versions of Conficker, check out the scs2.py script from here: http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker.
That page also have some Snort rules for detecting conficker.a and conficker.b. Finally, check out the Snort rules at emergingthreats.net for a couple more rules to identify Conficker.c.
-Kyle Haugsness
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago