1、 Downadup/Conficker

Conficker主要利用Windows操作系統(tǒng)MS08-067漏洞來(lái)傳播，同時(shí)也能借助任何有USB接口的硬件設(shè)備來(lái)感染，在2008年被發(fā)現(xiàn)，并在微軟的MS08-067補(bǔ)丁中被修復(fù)。但直到如今，仍有不少局域網(wǎng)中發(fā)現(xiàn)有Downadup蠕蟲病毒感染，有些殺毒軟件仍然不給力，無(wú)法找到病毒源頭，導(dǎo)致在某些機(jī)器上不斷地重復(fù)發(fā)現(xiàn)Downadup報(bào)告，但無(wú)法刪除。

2 、Nmap腳本引擎smb-check-vulns.nse

Nmap提供了強(qiáng)大的腳本引擎(NSE)，以支持通過(guò)Lua編程來(lái)擴(kuò)展Nmap的功能。除了常見(jiàn)的主機(jī)發(fā)現(xiàn)、端口掃描等功能外，腳本引擎擴(kuò)展了其他更加多樣化的功能，如檢查常見(jiàn)的漏洞信息以及本片文章提到的檢查蠕蟲感染功能。

smb-check-vulns腳本的介紹和源碼下載可以在nmap.org官網(wǎng)上獲得：

http://nmap.org/nsedoc/scripts/smb-check-vulns.html

smb-check-vulns腳本可以查看以下漏洞：

MS08-067, a Windows RPC vulnerability

Conficker, an infection by the Conficker worm

Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in Windows 2000

SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)

MS06-025, a Windows Ras RPC service vulnerability

MS07-029, a Windows Dns Server RPC service vulnerability

其中關(guān)于Conficker的檢查，mnap是基于以下的這個(gè)Conficker掃描器

http://net.cs.uni-bonn.de/wg/cs/applications/containing-conficker

3、 Nmap掃描實(shí)例

此工具用來(lái)檢測(cè)遠(yuǎn)程可疑源的具體使用命令如下：

nmap -PN -T4 -p139,445 -n -v --script smb-check-vulns,smb-os-discovery--script-args safe=1 [targetnetworks]

如：

nmap -PN -T4 -p139,445 -n -v --script smb-check-vulns, smb-os-discovery--script-args safe=1 100.10.1.*

方便起見(jiàn)，可以將其導(dǎo)出到一個(gè)文件中：

nmap -PN -T4 -p139,445 -n -v --scriptsmb-check-vulns,smb-os-discovery --script-args safe=1 [targetnetworks] >nmap_result.log

從日志里面找關(guān)鍵字，可以確定病毒源的位置。

…

Host 172.30.160.22 is up (0.00s latency).

Interesting ports on 172.30.160.22:

PORT STATE SERVICE

139/tcp open netbios-ssn

445/tcp open microsoft-ds

MAC Address: 00:E0:4C:1E:22:B8 (RealtekSemiconductor)

Host script results:

| smb-os-discovery: Windows XP

| LAN Manager: Windows 2000 LAN Manager

| Name: WORKGROUP\WH013

|_ System time: 2009-12-21 17:10:57 UTC+8

| smb-check-vulns:

| MS08-067: CHECK DISABLED (remove 'safe=1'argument to run)

| Conficker: UNKNOWN; not Windows, orWindows with disabled browser service (CLEAN); or Windows with crashed browserservice (possibly INFECTED).

| | If you know the remote system isWindows, try rebooting it and scanning

| |_ again. (ErrorNT_STATUS_OBJECT_NAME_NOT_FOUND)

|_ regsvc DoS: CHECK DISABLED (add'--script-args=unsafe=1' to run)

…

Host 172.30.160.40 is up (0.00s latency).

Interesting ports on 172.30.160.40:

PORT STATE SERVICE

139/tcp open netbios-ssn

445/tcp open microsoft-ds

MAC Address: 00:16:76:A8:D4:1F (Intel)

Host script results:

| smb-os-discovery: Windows XP

| LAN Manager: Windows 2000 LAN Manager

| Name: SZWH\WH-ASP-04

|_ System time: 2009-12-21 17:09:06 UTC+8

| smb-check-vulns:

| MS08-067: CHECK DISABLED (remove 'safe=1'argument to run)

| Conficker: Likely INFECTED (by Conficker.C or lower)

|_ regsvc DoS: CHECK DISABLED (add'--script-args=unsafe=1' to run)