RandallM wrote:
> what is a common thing to notice about scanning for conflicker? One
> site said a simple scan can disquish between clean and unclean ..:
>
> "Another option is to actively scan for Conficker machines. There is a
> way to distinguish infected machines from clean ones based on the
> error code for some specially crafted RPC messages. Conficker tries to
> filter out further exploitation attempts which results in uncommon
> responses"
> http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker
>
>
> Therefore, does this mean it gives what kind of response back..closes
> the response or what? What "error code " will it produce?
>
>
> Some results I did today using Nmap had some close it and others doing
> an syn-ack back
>
>
> one result:
>
> Host 10.0.1.40 appears to be up ... good.
> Scanned at 2009-03-31 15:19:19 Central Daylight Time for 2s
> Interesting ports on 10.0.1.40:
> PORT STATE SERVICE REASON
> 445/tcp closed microsoft-ds reset
> Final times for host: srtt: 0 rttvar: 5000 to: 100000
>
> and then another was:
>
> Host colossus.magnet.local (10.0.1.42) appears to be up ... good.
> Scanned at 2009-03-31 15:19:19 Central Daylight Time for 4s
> Interesting ports on colossus.magnet.local (10.0.1.42):
> PORT STATE SERVICE REASON
> 445/tcp open microsoft-ds syn-ack
>
> Host script results:
> | smb-check-vulns:
> | MS08-067: NOT RUN
> | Conficker: Likely CLEAN
> |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
> Final times for host: srtt: 0 rttvar: 5000 to: 100000
>
>
>
> if I understand the above results it seems the "reset" is my concern.
> Others just said "no-response" meaning not open perhaps.
>
> Anyone input for me?
>
Hi Randall,
The Conficker worm will actually try to patch MS08-067, similar to how
Microsoft does, in a jury-rigged way. That patch can be detected because
the return code is different from Microsoft's. So, you call the
vulnerable function over MSRPC (NetPathCanonicalize()) and check the
return -- if it was success, the system is vulnerable to Ms08-067. If it
failed with 0x57, Connficker likely patched it. If it fails with the
proper value (INVALID_PARAMETER iirc, I forget the code), you have
Microsoft's patch.
Port 445 being closed isn't a sign of Conficker. Some people seem to
have run into that, but I can't explain it.
Here's a bit of my code from smb-check-vulns.nse:
if(status == false) then
if(string.find(netpathcompare_result, "UNKNOWN_57") ~= nil) then
return true, INFECTED
elseif(string.find(netpathcompare_result, "INVALID_NAME") ~=
nil) then
return true, PATCHED
else
io.write(string.format("\n\n%s\n\n", netpathcompare_result))
return true, UNKNOWN
end
end
--
Hope that helps!
Ron
PS: My posts don't seem to end up on the mailing list. Am I doing
something wrong, or am I being moderated?
--
Ron Bowes
http://www.skullsecurity.org/
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
