The Tenable research team has been steadily working on creating accurate checking for Conficker infected hosts. Over the weekend researchers Felix Leder and Tillmann Werner of the University at Bonn released details on how to detect Conficker using network-based checks. This checking methodology was used as a basis for Nessus plugin 36036 as well as the Nmap NSE script created for the same purpose.
However, last night the Tenable research team discovered that the methodology employed to detect Conficker was missing infected hosts. The Nmap team independently noticed a similar problem, Leder and Werner were notified and updated their own checking tool, a Python based program called "scs". Tenable has released version 2.0 of the Conficker plugin(plugin id 36036), which includes the following updates:
- The plugin now uses credentials, if available, and will scan the local system for the presence of the Conficker virus. It is strongly recommended that this check be performed using credentials as it allows for scanning of hardened Windows XP, Vista, and Server 2008 systems. Scanning a compromised system will not compromise your domain credentials.
- The plugin resolves the flaw that led to false positives by using NetPathCompare() instead of NetPathCanonicalize() to perform the check, which has less likelihood of crashing the remote service.
To collect more detailed information about the scan, perform the following:
- Create a new scan policy with the Conficker plugin enabled. For a quick check you can configure Nessus to only scan for TCP port 445. We also recommend, as a follow up scan, scanning all ports to detect malware. Plugin 35322, “HTTP Backdoor Detection” detects the custom web server used by Conficker. It requires that “Probe services on every port” be enabled.
- In the Nessus scan policy go to the "Advanced" tab and select "Global variables settings"
- Set the "Log verbosity" option to "debug"
- Set the "Debug level" field to "1"
When the scan is running you can monitor the file /opt/nessus/var/nessus/logs/nessusd.dump on the Nessus server (C:\Program Files\Tenable\Nessus\nessus\logs\nessud.dump on Windows and /Library/Nessus/run/var/nessus/logs/nessusd.dump on OS X) during and after the scan. You will then see output similar to the following:
conficker_detect.nasl[29687.24]>DEBUG: conficker_detect.nasl(172.16.127.161): host is clean
conficker_detect.nasl[29685.24]>DEBUG: conficker_detect.nasl(172.16.127.159): host is clean
conficker_detect.nasl[29689.24]>DEBUG: conficker_detect.nasl(172.16.127.163): host is INFECTED
conficker_detect.nasl[29690.24]>DEBUG: conficker_detect.nasl(172.16.127.164): host is clean
conficker_detect.nasl[29692.24]>DEBUG: conficker_detect.nasl(172.16.127.166): host is clean
conficker_detect.nasl[29691.24]>DEBUG: conficker_detect.nasl(172.16.127.165): host is clean
conficker_detect.nasl[29654.22]>DEBUG: conficker_detect.nasl(172.16.127.128): Could not connect to port 445
To determine which version of the plugin you're using, look at /opt/nessus/lib/nessus/plugins/conficker_detect.nasl, and you should see the following in the header:
script_version("$Revision: 2.0 $");
This plugin is available to Nessus ProfessionalFeed and HomeFeed customers.