MS08-067 (Conficker worm) detection – OpenVAS plugin

Conficker worm variants A, B and C are dependent on vulnerability in Microsoft server service. Microsoft had released an advisory MS08-067 back in October 2008 to address the above vulnerability. As was expected at that time, number of attacks are spreading, major one being Conficker worm.

We have plugins for OpenVAS,
900055 – secpod_ms08-067_900055.nasl
900056 – secpod_ms08-067_900056.nasl

to detect patch condition of MS08-067. The plugin 900055 requires SMB credentials and verifies if the required hotfix is installed through Windows Registry and verifying the updated file versions. The plugin 900056 is a Proof of Concept exploit that tries to crash the server service (safe_checks has to be disabled). This can work on anonymous login credentials if the target system allows anonymous login (Windows 2000 by default allows anonymous login). The plugin checks the RPC response status of an un-patched system.

If your system is found to be vulnerable, make sure to run the AV scanners to see if you are infected by Conficker worm. All major AV vendors have signature. Manual procedure to verify if you are infected is and also to clean is available at,

http://download.nai.com/products/mcafee-avert/documents/combating_w32_conficker_worm.pdf

Leave a comment | Trackback
Apr 1st, 2009 | Posted in Uncategorized
Tags:
No comments yet.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
RSS for comments on this post