Tomorrow is April 1st, and apart from funny pranks and silly hats — the Conficker worm will rear its ugly head. As recently as yesterday, some early (not that early I realize) detection programs are available. And they’re free.

The first is simple to use, but slow as crap. In the author’s defense, it’s just a proof of concept. But it works. 🙂 It’s written in Python, and has both the python script (which requires some additional libraries in Linux) and a windows version that is all built into a package.

This site has links to both versions, along with some instructions. It seems to be able to keep up with the traffic it’s getting, whereas some other sites are getting crumbled as admins scramble to sniff their networks.

The second method uses a brand spanking new version of NMAP to do the detecting. The advantage is it’s much quicker at scanning larger networks. The disadvantage is it requires a bit of commandline fu. Fear not, it’s as easy as copy/paste.

First, get the version for your operating system. NOTE: You MUST get nmap-4.85BETA5 because earlier versions won’t scan for Conficker.

Once you install nmap, you’ll want to run the command:

nmap -PN -d -p445 –script=smb-check-vulns –script-args=safe=1 [network_range]

Where [network_range] is something like 10.10.5.1-255 or even 10.10.0.0/16.

You’ll need to look through the results for information like:

Host script results:

| smb-check-vulns:

| MS08-067: FIXED

| Conficker: Likely INFECTED

|_ regsvc DoS: VULNERABLE

And then fix/patch those hosts. I’d suggest sending the results to a text file, and grepping for the word VULNERABLE or INFECTED — but those types of instructions are beyond the scope of this quick hack of a post. 🙂