[Openvas-discuss] [Openvas-plugins] Conficker worm detection -OpenVAS plugins
timb at nth-dimension.org.uk
Thu Apr 2 02:05:41 CEST 2009
Summarising my response to what you asked/stated yesterday on IRC (you'd
already logged off for the day).
The payload I submitted to you guys for MS08-067 is not the same as the one
used by nmap for ms08-067, nmap actuaally uses a different payload developed
later by one of my colleagues which is available from
Moreover, neither are the same as the payload nmap uses for the Conficker
check, since this validates whether Conficker's own custom patch for MS08-067
has been applied. Conficker's patch behaves differently from Microsoft's.
The conficker NASL I sent round generates the nmap payload to test for
Conficker but I was troubled by a) SMB authentication problems and b) as I
note below I haven't had a chance to run it against a compromised system.
We may be able to use my first payload to detect Conficker but for that...
I/we need to run it against a Conficker infected box so that we see how it
responds... I will ask around but as I have some good contacts in the AV /
malware community. Indeed, we probably need to do that anyway so we can see
how the SMB function in openvas decode the respond - smb_rev() in particular.
<mailto:timb at nth-dimension.org.uk>
More information about the Openvas-discuss