Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Conficker.D ???
From: Ron <ron () skullsecurity net>
Date: Thu, 02 Apr 2009 13:55:28 -0500

Rathbun, Dan wrote:
We had a machine in Asia PAC trigger our IDS systems as Conficker
infected this morning.  I immediately scanned it with an
up-to-the-minute copy of Nmap svn and it came back clean.  Local support
is attending to it, but with the time differences I am  unable to find
out what they discovered, at least for a few more hours.  But all this
has me thinking.

If a Conficker.C machine successfully updated itself, will it still be
discoverable with this method?  It seems to me, that the author of
Conficker has significant skills and surely must has seen all the news
about being able to detect the infection remotely.  Have we seen any
proof yet that Conficker.D or whatever they will call it, is still
vulnerable to t his type of detection?

-Dan Rathbun

It really depends -- if it did indeed update itself, then they easily could have fooled our detection strategy.

Can you provide a .pcap (directly to me is fine) of scanning the infected machine?


Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]