[Openvas-discuss] [Openvas-plugins] Conficker worm detection -OpenVAS plugins

Tim Brown timb at nth-dimension.org.uk
Thu Apr 2 02:05:41 CEST 2009


Summarising my response to what you asked/stated yesterday on IRC (you'd 
already logged off for the day).

The payload I submitted to you guys for MS08-067 is not the same as the one 
used by nmap for ms08-067, nmap actuaally uses a different payload developed 
later by one of my colleagues which is available from 

Moreover, neither are the same as the payload nmap uses for the Conficker 
check, since this validates whether Conficker's own custom patch for MS08-067 
has been applied.  Conficker's patch behaves differently from Microsoft's.

The conficker NASL I sent round generates the nmap payload to test for 
Conficker but I was troubled by a) SMB authentication problems and b) as I 
note below I haven't had a chance to run it against a compromised system.

We may be able to use my first payload to detect Conficker but for that... 
I/we need to run it against a Conficker infected box so that we see how it 
responds... I will ask around but as I have some good contacts in the AV / 
malware community.  Indeed, we probably need to do that anyway so we can see 
how the SMB function in openvas decode the respond - smb_rev() in particular.

Tim Brown
<mailto:timb at nth-dimension.org.uk>

More information about the Openvas-discuss mailing list