[Openvas-discuss] [Openvas-plugins] Conficker worm detection -OpenVAS plugins

Tim Brown timb at nth-dimension.org.uk
Thu Apr 2 02:05:41 CEST 2009


Chandra,

Summarising my response to what you asked/stated yesterday on IRC (you'd 
already logged off for the day).

The payload I submitted to you guys for MS08-067 is not the same as the one 
used by nmap for ms08-067, nmap actuaally uses a different payload developed 
later by one of my colleagues which is available from 
http://labs.portcullis.co.uk/.

Moreover, neither are the same as the payload nmap uses for the Conficker 
check, since this validates whether Conficker's own custom patch for MS08-067 
has been applied.  Conficker's patch behaves differently from Microsoft's.

The conficker NASL I sent round generates the nmap payload to test for 
Conficker but I was troubled by a) SMB authentication problems and b) as I 
note below I haven't had a chance to run it against a compromised system.

We may be able to use my first payload to detect Conficker but for that... 
I/we need to run it against a Conficker infected box so that we see how it 
responds... I will ask around but as I have some good contacts in the AV / 
malware community.  Indeed, we probably need to do that anyway so we can see 
how the SMB function in openvas decode the respond - smb_rev() in particular.

Cheers,
Tim
-- 
Tim Brown
<mailto:timb at nth-dimension.org.uk>
<http://www.nth-dimension.org.uk/>



More information about the Openvas-discuss mailing list