he Honeynet Project has discovered an anomaly in Conficker that makes it possible to detect infected hosts with an elaborate fingerprint scan over the network.
sudo nmap -sC --script=smb-check-vulns --script-args=safe=1 -p445 \
-d -PN -n -T4 --min-hostgroup 256 --min-parallelism 64 \
-oA conficker_scan \<your network(s) here>
Hot on the coattails of the Simple Conficker Scanner, I’ve added detection for Conficker to Nmap.
This enabled us to intercept or mangle the packets exchanged between the infected machine and the outside world. We monitored the activity of the infected host over several days. We classify the test into two phases: Pre- April 1st and the April 1st phase.