New Nmap version detects the Conficker worm

The Conficker worm is receiving a lot of attention because of its vast scale (millions of machines infected) and advanced update mechanisms. Thanks to research by Tillmann Werner and Felix Leder of The Honeynet Project and implementation work by Ron Bowes, David Fifield, Brandon Enright, and Fyodor, a new Nmap release is here which can remotely scan for and detect infected machines.

To scan for Conficker, use a command such as:
nmap -PN -T4 -p139,445 -n -v –script=smb-check-vulns –script-args safe=1 [targetnetworks]

A clean machine should report at the bottom: “Conficker: Likely CLEAN“, while likely infected machines say: “Conficker: Likely INFECTED“. For more advice, see this nmap-dev post by Brandon Enright. Dan Kaminsky broke the story on

While Conficker gets all the attention, 4.85BETA5 also has many other great improvements:

  • Ndiff now includes service (version detection) and OS detection differences.
  • [Ncat] The –exec and –sh-exec options now work in UDP mode like they do in TCP mode: the server handles multiple concurrent clients and doesn’t have to be restarted after each one.
  • [Ncat] The -v option (used alone) no longer floods the screen with debugging messages. With just -v, we now only print the most important status messages such as “Connected to …”, a startup banner, and error messages. At -vv, minor debugging messages are enabled, such as what command is being executed by –sh-exec. With -vvv you get detailed debugging messages.
  • [Ncat] Chat mode now lets other participants know when someone connects or disconnects, and it also broadcasts a current list of participants at such times.
  • [Ncat] Fixed a socket handling bug which could occur when you redirect Ncat stdin, such as “ncat -l –chat < /dev/null". The next user to connect would end up with file descriptor 0 (which is normally stdin) and thus confuse Ncat.
  • [Zenmap] The “Scan Output” expanders in the diff window now behave more naturally. Some strange behavior on Windows was noted by Jah.
  • The following OS detection tests are no longer included in OS fingerprints: U1.RUL, U1.TOS, IE.DLI, IE.SI, and IE.TOSI. URL, DLI, and SI were found not be helpful in distinguishing operating systems because they didn’t vary. TOS and TOSI were disabled in 4.85BETA1 but now they are not included in prints at all.
  • The compile-time Nmap ASCII dragon is now more ferocious thanks to better teeth alignment.
  • Version 4.85BETA4 had a bug in the implementation of the new SEQ.CI test that could cause a closed-port IP ID to be written into the array for the SEQ.TI test and cause erroneous results.
  • Nbase has grown routines for calculating Adler32 and CRC32C checksums. This is needed for future SCTP support.
  • [Zenmap] Zenmap no longer shows an error message when running Nmap with options that cause a zero-length XML file to be produced (like –iflist).
  • Fixed an off-by-one error in printableSize() which could cause Nmap to crash while reporting NSE results. Also, NmapOutputTable’s memory allocation strategy was improved to conserve memory.
  • [Zenmap] We now give the –force option to for installation to ensure that it replaces all files.
  • Nmap’s –packet-trace, –version-trace, and –script-trace now use an Nsock trace level of 2 rather than 5. This removes some superfluous lines which can flood the screen.
  • [Zenmap] Fixed a crash which could occur when loading the help URL if the path contains multibyte characters.
  • [Ncat] The version number is now matched to the Nmap release it came with rather than always being 0.2.
  • Fixed a strtok issue between load_exclude and TargetGroup::parse_expr that caused only the first exclude on a line to be loaded as well as an invalid read into free()’d memory in load_exclude().
  • NSE’s garbage collection system (for cleaning up sockets from completed threads, etc.) has been improved.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss