UPDATE 2009-04-01: Nmap 4.85BETA6 has been released. A few tweaks have been made to the smb-check-vulns.nse script which can be used to detect hosts compromised with the Conficker malware. The ouput from the script is improved and makes it clearer what is the status of the scanned host. If you've already tried the script and seen this result:
Conficker: ERROR: SMB: Failed to receive bytes: TIMEOUT
then try the updated script which increases the timeout period from 5 seconds to 20.
The newest beta of the network exploration and auditing tool Nmap 4.85BETA5 is now available for download at nmap.org/download. Among the changes, which you can read about in the CHANGELOG, is an especially handy tool which can detect machines compromised with the Conficker (aka Downadup aka Kido) worm. The smb-check-vulns.nse script has been updated by its author Ron Bowes to include specially crafted RPC messages and detection of the giveaway response returned by a machine compromised with Conficker.
The script may be run like so:
nmap -PN -p139,445 -n -v --script smb-check-vulns --script-args safe=1 <target>
which might result in:
Interesting ports on cleanhost1.com (192.168.0.1):
PORT STATE SERVICE REASON
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack
Host script results:
| smb-check-vulns:
| MS08-067: NOT RUN
| Conficker: Likely CLEAN
|\_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
Interesting ports on compromised2.com (192.168.0.2):
PORT STATE SERVICE REASON
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack
Host script results:
| smb-check-vulns:
| MS08-067: NOT RUN
| Conficker: Likely INFECTED
|\_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
The MS08-067 and regsvc DoS checks are not performed when --script-args
safe=1 is specified on the command line and is the reason you will see "NOT
RUN" next to the host script result entry. The MS08-067 check can determine
whether or not the KB958644 Microsoft patch for the vulnerability exploited by
Conficker has been applied. There's a very good chance that this check will
crash the server service of a vulnerable machine which is why it is suggested
that the "safe" argument is specified to prevent the crash. If you want to
perform the check, omit --script-args safe=1 from the command.
If you have a large number of hosts in your organisation you may be interested in some great advice posted to the nmap-developers mailing list on tuning the nmap parameters to speed the process up, as well as a handy perl script for parsing nmap xml output files to extract the conficker results.
The background to this update to smb-check-vulns.nse may be interesting to anyone curious about or involved in defending against Conficker.
Researchers at Rheinische Friedrich-Wilhelms-Universitat Institute of Computer Science, Felix Leder and Tillmann Werner (members of the Honeynet Project) discovered that Conficker, which patches the MS08-067 vulnerability of its host, responds with a uncommon error codes when sent specific RPC messages. These responses are entirely different than those that may be elicited from a normal patched or unpatched host thus making remote detection of compromised hosts a possibility.
Remote detection of Conficker is a real boon for system administrators who can now scan their entire organisation and determine whether there are compromised hosts on its networks without having to visit each machine or trawl through and decipher stacks of logs generated by network security monitoring tools.
Leder and Tillmann have posted details of their research into Conficker and methods/tools to detect and contain compromised hosts and there is a more detailed analysis available from them in a paper entitled "Containing Conficker - To Tame a Malware".
Several scanning tools are being or have already been updated to take advantage of this ability to remotely detect Conficker, as noted in a blog post by Dan Kaminsky, though it's worth noting that Nmap is free and will almost certainly get the job done quicker!