What is the best way to find Conficker infected PCs in company networks remotely?

security networking malware

Solution 1:

The latest version of nmap has the ability to detect all (current) variants of Conficker by detecting the otherwise almost invisible changes that the worm makes to the port 139 and port 445 services on infected machines.

This is (AFAIK) the easiest way to do a network based scan of your whole network without visiting each machine.

Solution 2:

Run Microsoft's Malicious Software Removal tool. It is a stand-alone binary that is useful in the removal of prevalent malicious software, and it can help remove the Win32/Conficker malware family.

You can download the MSRT from either of the following Microsoft Web sites:

  • http://www.update.microsoft.com
  • http://support.microsoft.com/kb/890830

Read this Micosoft support article: Virus alert about the Win32/Conficker.B worm

UPDATE:

There is this web page which you could open. It should give a warning if there is a sign of conficker on the machine: http://four.cs.uni-bonn.de/fileadmin/user_upload/werner/cfdetector/

I almost forgot to mention this very nice "visual" approach: Conficker Eye Chart (I'm not sure if it will work in the future with modified version of the virus) - I'm not sure if it still works properly (update 06/2009):

If you can see all six images in both rows of the top table, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.

Network Scanner

eEye's Free Conficker Worm Network Scanner:

The Conficker worm utilizes a variety of attack vectors to transmit and receive payloads, including: software vulnerabilities (e.g. MS08-067), portable media devices (e.g. USB thumb drives and hard drives), as well as leveraging endpoint weaknesses (e.g. weak passwords on network-enabled systems). The Conficker worm will also spawn remote access backdoors on the system and attempt to download additional malware to further infect the host.

Download here: http://www.eeye.com/html/downloads/other/ConfickerScanner.html

Look also at this resource ("network scanner"): http://iv.cs.uni-bonn. de/wg/cs/applications/containing-conficker/. Search for "Network Scanner" and, if you're running Windows:

Florian Roth has compiled a Windows version which is available for download from his website [direct link to zip-download].

Related

What to check if 'pinging' doesn't work?
How can I prevent a scheduled task from running if the same task is already running?
How does Microsoft enforce licenses?
How to setup samba share to be mounted as specific user?
How do I turn windows features on or off using powershell or commandline in windows 7?
Understand IP addresses and location
Nginx Proxy a large port range to equivalent port on a different ip address
How to update AWS CLI tools on AWS Linux?
Camera not working with Ubuntu, solution's stopped working (FacetimeHD, Macbook Air)
Issue on Gnome App windows fonts [duplicate]
Anybody knows how to "fix" this blurry font that's only on snap-store?
Change default monitor on user selection screen [duplicate]