Detect Conficker Worm With nmap 4.85BETA6 on Arch Linux

By | 04/01/2009

As I’m sure you’ve all heard, today is April Fools and the day that the conficker worm is set to… well, do something.  I haven’t read any reports on just exactly what it has done, if anything today, but I was able to come up with a solution that will allow you to scan for it using Arch Linux and the latest-greatest build of nmap.  I just ran a scan on my home network and didn’t find anything (granted I only have Arch Linux, FreeBSD and Mac OS X machines here), but the same steps can be used to scan your office networks if you’re still wondering about being vulnerable.  I will outline below how to install the Arch Build System (ABS), update the PKGBUILD for nmap to install the latest nmap and finally how to scan a range of networks for the conficker worm.

Installation via ABS
To build the latest-greatest copy of nmap we’ll use the ABS and simply update the PKGBUILD information.  If you do not have ABS setup on your machine you’ll need to complete the following steps:

pacman -S abs
abs

These two commands will install the ABS on your system and then sync with the repository mirror.

Configuring nmap
Next you’ll want to copy the PKGBUILD from the ABS directory structure to your home directory for building.

mkdir ~/abs/
cp -r /var/abs/extra/nmap/ ~/abs/

Now head back to ~/abs/nmap/ and edit the PKGBUILD file with the following changes:

pkgver=4.85BETA6
md5sums=('33af2a98032b2e6617cea8de23808e64')

With those two changes saved you can now compile the latest nmap.  Use: makepkg -i

Detecting Conficker
Now that you have the latest nmap compiled and installed you can scan your network(s) for the Conficker worm.  Use the following command and look for any “INFECTED” or “VULNERABLE” lines in the output.

nmap -PN -d -p445 –script=smb-check-vulns –script-args=safe=1 [network_range]

(of course, replace network_range with your home/office network. ie; 192.168.0.0/24)

Conclusion
While I still don’t know what, if anything, the Conficker worm is going to do today (or ever), its best to make sure your machines are not vulnerable and that someone else does not have control of them.  If you administer a number of Windows machines, take a minute to scan them and verify that nothing is left vulnerable.  I hope these steps were helpful for anyone needing to verify security on their networks.

Leave a Reply

Your email address will not be published. Required fields are marked *