What is the best way to find Conficker infected PCs in company networks remotely?
Solution 1
The latest version of nmap has the ability to detect all (current) variants of Conficker by detecting the otherwise almost invisible changes that the worm makes to the port 139 and port 445 services on infected machines.
This is (AFAIK) the easiest way to do a network based scan of your whole network without visiting each machine.
Solution 2
Run Microsoft's Malicious Software Removal tool. It is a stand-alone binary that is useful in the removal of prevalent malicious software, and it can help remove the Win32/Conficker malware family.
You can download the MSRT from either of the following Microsoft Web sites:
Read this Micosoft support article: Virus alert about the Win32/Conficker.B worm
UPDATE:
There is this web page which you could open. It should give a warning if there is a sign of conficker on the machine: http://four.cs.uni-bonn.de/fileadmin/user_upload/werner/cfdetector/
I almost forgot to mention this very nice "visual" approach: Conficker Eye Chart (I'm not sure if it will work in the future with modified version of the virus) - I'm not sure if it still works properly (update 06/2009):
If you can see all six images in both rows of the top table, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.
Network Scanner
eEye's Free Conficker Worm Network Scanner:
The Conficker worm utilizes a variety of attack vectors to transmit and receive payloads, including: software vulnerabilities (e.g. MS08-067), portable media devices (e.g. USB thumb drives and hard drives), as well as leveraging endpoint weaknesses (e.g. weak passwords on network-enabled systems). The Conficker worm will also spawn remote access backdoors on the system and attempt to download additional malware to further infect the host.
Download here: http://www.eeye.com/html/downloads/other/ConfickerScanner.html
Look also at this resource ("network scanner"): http://iv.cs.uni-bonn. de/wg/cs/applications/containing-conficker/. Search for "Network Scanner" and, if you're running Windows:
Florian Roth has compiled a Windows version which is available for download from his website [direct link to zip-download].
Solution 3
There is a Python tool called SCS that you can launch from your workstation, and you can find it here: http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
It goes this way on my workstation:
Usage:
scs.py <start-ip> <end-ip> | <ip-list-file>
andor@alvaroportatil:~/Escritorio/scs$ python scs.py 10.180.124.50 10.180.124.80
----------------------------------
Simple Conficker Scanner
----------------------------------
scans selected network ranges for
conficker infections
----------------------------------
Felix Leder, Tillmann Werner 2009
{leder, werner}@cs.uni-bonn.de
----------------------------------
No resp.: 10.180.124.68:445/tcp.
10.180.124.72 seems to be clean.
10.180.124.51 seems to be clean.
10.180.124.70 seems to be clean.
10.180.124.53 seems to be clean.
10.180.124.71 seems to be clean.
10.180.124.69 seems to be clean.
10.180.124.52 seems to be clean.
No resp.: 10.180.124.54:445/tcp.
No resp.: 10.180.124.55:445/tcp.
No resp.: 10.180.124.61:445/tcp.
No resp.: 10.180.124.56:445/tcp.
No resp.: 10.180.124.57:445/tcp.
No resp.: 10.180.124.58:445/tcp.
No resp.: 10.180.124.60:445/tcp.
No resp.: 10.180.124.67:445/tcp.
No resp.: 10.180.124.62:445/tcp.
No resp.: 10.180.124.63:445/tcp.
No resp.: 10.180.124.64:445/tcp.
No resp.: 10.180.124.65:445/tcp.
No resp.: 10.180.124.66:445/tcp.
No resp.: 10.180.124.76:445/tcp.
No resp.: 10.180.124.74:445/tcp.
No resp.: 10.180.124.75:445/tcp.
No resp.: 10.180.124.79:445/tcp.
No resp.: 10.180.124.77:445/tcp.
No resp.: 10.180.124.78:445/tcp.
No resp.: 10.180.124.80:445/tcp.
Solution 4
This page has lots of useful resources, including a quick visual summary of whether you're infected...
http://www.confickerworkinggroup.org/wiki/
Solution 5
OpenDNS will warn of PCs it thinks are infected. Although as splattne said, MSRT is most likely the best option.
Related videos on Youtube
40 : 16
04 : 14
04 : 15
01 : 40
13 : 28
Kazimieras Aliulis
Updated on September 17, 2022Comments
-
Kazimieras Aliulis over 1 year
What is the best way remotely to find Conficker infected PCs in company/ISP networks?
-
Kazimieras Aliulis about 15 yearsI asked how to detect PCs in network, not how to clear them.
-
Kazimieras Aliulis about 15 yearsCompany policy does not allow to use OpenDNS it must be at home solution.
-
splattne about 15 yearsThe Removal Tool DOES DETECT them. As a nice side-effect, it clears them... ;-)
-
splattne about 15 yearsAh, you mean REMOTELY? sorry. Now I understand.
-
Kazimieras Aliulis about 15 yearsIf pc have a well configured firewall it will block from 139 and 445 ports, so it is not 100% effective, but most of machines can be detected.
-
Kazimieras Aliulis about 15 yearsIf pc have a well configured firewall it will block 139 and 445 ports, so it is not 100% effective, but most of machines can be detected. Sad, that intrusion detection signatures are only for A and B versions. Domain checking is in part a viable solution, too.
-
Alnitak about 15 yearsIf the PC had a well configured firewall it probably wouldn't have been infected in the first place...
-
Kazimieras Aliulis about 15 yearsIt`s nice script!
-
Dan Carley almost 15 yearsYou should be aware that certain portions of the smb-check-vulns tests included in nmap are liable to crash infected machines. Which may be best avoided in a production environment.
-
Alnitak almost 15 yearscrashing infected machines sounds like a win, to me :) Crashing uninfected machines would be real bad, though...
