Detecting Conficker | The Honeynet Project


 

Detecting Conficker | The Honeynet Project

The Honeynet Project has a simple scanner on their site for detecting the Conficker infections.  It’s mainly recommended for Network Administrators, however you can use it for home systems (more aptly home networks).  They have some technical information about what you will see in the output and how to use the signatures for Conficker in a *nix environment.

The scanner is a python program (which they’ve converted to an exe file for Windows users).

Look for the line about Python to Windows exe build of the same tool is available here, and click that link for the zip file.

What you want to do is extract the scs folder to a location (C:\ is good in my opinion or your Desktop).  Then you’ll want to open a command prompt (Start—> Run –> cmd and click OK) **Note that if you’re on Vista, you’ll be prompted with a UAC alert—because with all of this going on, you definitely still have UAC enabled, right?**

Once you’ve got the command prompt open, navigate to the scs folder.  If you extracted it to C:\ then you’ll want to type cd \scs <enter>.  If you extracted it to your desktop, then put in cd Desktop\scs (on Vista since it should put you in C:\Users\Yourusername\>) or cd .. then cd Desktop\scs if it puts you in C:\Documents And Settings\Yourusername\My Docments\>.  Either way, your cursor should either say “C:\Users\Yourusername\Desktop\scs>” or “C:\Documents And Settings\Yourusername\Desktop\scs>” on older versions of Windows.

Once you’re in the scs folder, simply type scs <startIP> <endIP>  <enter> for example scs 192.168.1.2 192.168.1.4 <enter>, and it will start scanning.  If your firewall prompts you about the program, let it access whatever it wants.

The output should be similar to what they showed on the website. On mine, most of the IP addresses had no response.  I’ve only got three computers that ***should*** be on the network, and they all came up either no response or clean.  This is also a cheap way of figuring out if someone may be hacking into your network (for example if you only have 3 computers but get responses from 4 IP addresses, it’s a good sign that something isn’t right).

How do you know what IP addresses to put in?  if you type ipconfig <enter> it will show you three pieces of information.  Your IP Address, Subnet Mask, and Default Gateway.  Most likely on home networks, the IP address and Default Gateway will start with 192.168. and the subnet mask will be 255.255.255.0.  (the last two numbers after the 192.168. are coded into the router or modem).  My suggestion is if your Default Gateway ends in .1 then start with .2 and go to .254.  If your Default Gateway ends in .254 then go with .1 to .253.

A side note.  The IP address is your computer’s address on the network.  The Default Gateway is your computer’s link to the Internet (or more technically anything outside of it’s network) and the Subnet Mask is just a way for computers to know who’s on their network and who isn’t.   For the purposes of this post, that’s the easiest explanation without going into the basics of networking and switching/routing.

I encourage you to try this program out.  If you have problems accessing the link that I gave you, post a comment and I’ll try to find an alternate link that will work.

Have a great day and be safe 🙂

Patrick.

Leave a comment

Your email address will not be published. Required fields are marked *