Join us for the Honeynet Workshop 2024: May 27th–29th, Copenhagen, Denmark

Simple Conficker Scanner v2

15 Apr 2009 Tillmann Werner conficker detection network scan

Today we released version 2 of our Simple Conficker Scanner (SCSv2). It contains a new scanning method which allows for detection of machines infected with the recent Conficker version (D or E, depending on the naming scheme - the tool calls it D). Although the patch to the vulnerable function NetpwPathCanonicalize() was updated in the new variant, the RPC response codes for specially crafted requests are still different for infected machines. This enabled us to write a network scanner to distinguish Conficker zombies from clean hosts. The scanning results look like this:

$ ./ Simple Conficker Scanner v2 -- (C) Felix Leder, Tillmann Werner 2009 [UNKNOWN] No response from port 445/tcp. [UNKNOWN] Unable to run NetpwPathCanonicalize. [CLEAN] Windows Server 2003 R2 3790 Service Pack 2 [Windows Server 2003 R2 5.2]: Seems to be clean. [INFECTED] Windows 5.1 [Windows 2000 LAN Manager]: Seems to be infected by Conficker D. [INFECTED] Windows 5.1 [Windows 2000 LAN Manager]: Seems to be infected by Conficker B or C. done

The code was released under the GNU General Public License. Get it from here, feel free to adopt and please use it in your scanner tool.

Update: Florian Roth has compiled a Windows version which is available for download from his website.