For those who suspect their PC is infected with this machine, the easiest way to find out is by visiting some security related websites for example:
- www.symantec.com
- www.microsoft.com
- www.macfee.com
- www.f-secure.com
Conficker/Downadup was designed to block the infected machine from visiting these security websites to prevent victims to find solution to remove this worm. For more technical details on how it prevents from visitng the websites (hooking the Windows API DnsQuery from dnsapi.dll) :
http://mtc.sri.com/Conficker/addendumC/ <-- This is so far the most consolidated analysis that I have ever seen :) The following website is the consolidated methods of detection and removal for Conficker/Downadup from dShield:
http://www.dshield.org/diary.html?storyid=5860
Using Nmap to Perform Conficker Test
I was attracted by the new Nmap scanning features which include the script to scan your network to test if you are infected with the Conficker, thanks to Honeynet Project (Tillmann Werner and Felix Leder) :D
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [host]
typical scan result for infected machine:
Host script results:
| smb-check-vulns:
| MS08-067: FIXED
| Conficker: Likely INFECTED
|_ regsvc DoS: VULNERABLE
The testing was done using Nmap4.85BETA6
Signing off
~x9090
2 comments:
My colleague's pc was infected by Conficker somewhere in February.
He said by running netstat will reveal that the pc is trying to establish connection to all known hosts in the network, thus exhausting available ports.
Btw, nice blog you have here.
Thanks for the comment!
Yeah, once the PC is infected with Conficker, it will constantly send specially crafted RPC packets over TCP 445 to find any vulnerable machine. This is one of its spreading methods.
The only way to remove this is to depend on those custom removal tools as those AV cannot remove it successfully even though they can detect.
I found this useful to prevent spreading of worm though some will suggest to install portable AV on your flash drives which I think is troublesome:
http://milw0rm.com/papers/314
Basically the idea of this article is to change the autorun.inf to "unaccessable". I found that it can be easily removed when you attach it to *nix machine. Nevertheless, it is still useful to prevent spreading of worms on Windows.
Enjoy!!
Signing off
~x9090
Post a Comment