Free Conficker Scanner

Most of the IT admins are getting ready for the Conficker worms which are supposed to wake up on 4/1/2009. According to a new research done by Tillmann Werner and Felix Leder, it’s easy to detect systems infected by the worm. The feature has been incorporated into nmap 4.85 BETA5. Here is the thread for the announcement.

http://seclists.org/nmap-dev/2009/q1/0870.html

The free tool can be downloaded from the download page.

http://nmap.org/download.html

It’s available for multiple platforms. Once you have it installed, use this example to scan your network.

nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]

Substitute [targetnetworks] with your network. Check this manual page if you need more information about using it. Here is a sample output for a non-infected computer.

Host 192.168.1.247 appears to be up ... good.
Interesting ports on 192.168.1.247:
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
|  smb-check-vulns:
|  MS08-067: NOT RUN
|  Conficker: Likely CLEAN
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
  • Thanks for sharing this useful post and thanks to Fyodor for NMAP 🙂

  • dan1005

    I agree.
    nmap is best.