Got Conficker? Network Scan Detection of Infected Machines

So you got the Conficker. You could go to each machine and run the eye chart test ( http://www.confickerworkinggroup.org/infection_test/cfeyechart.html), but in a bigger environment, or if you prefer to work smarter and not harder, you need some sort of test to pinpoint which machines are infected.

Answer = nmap (http://nmap.org)

I am using the windows version. With the latest version, the Conficker check is included with the rest of the scripts. Fire up nmap, command line (adjust screen buffer to see all results) or the Zenmap GUI, and in the command box or line, type:

nmap -p 445 -d --script smb-check-vulns.nse --script-args safe=1

For example, to check the 192.168.1.0 network range, type:

nmap -p 445 -d --script smb-check-vulns.nse --script-args safe=1 192.168.1.1-254

It takes a few minutes, don't worry if the GUI says not responding, it's still working. When complete, you will see some results. Here is what to look for:


Nmap scan report for machine.domain.com (192.168.1.122)
Host is up, received arp-response (0.00013s latency).
Scanned at 2010-04-21 09:29:26 Eastern Daylight Time for 1s
PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack
MAC Address: 00:06:5B:2A:81:72 (Dell Computer)


Host script results:


| smb-check-vulns:  
|   MS08-067: CHECK DISABLED (remove 'safe=1' argument to run)
|   Conficker: Likely CLEAN
|   regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
|_  SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)

Don't worry about the "CHECK DISABLED", those are extra checks that could crash a system, that is why we used the "--script-args safe". Look for "Conficker: Likely CLEAN". If it's good, you will see the clean message, if not, you will see the "Conficker: Likely Infected" message.

You will  get some other messages about not being able to check, those are usually network devices or other OS's that couldn't get Conficker anyway. Be sure to check though!

So now you know WHICH machines, WHAT to do about it?

Get the removal tool from here (http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99)

Run the tool, reboot, patch - each OS has different patch. The tool will tell you which one to get, do a Google search on it, download it, install it.

Install Antivirus!

Jeremy

Evil HP Color Laserjet 3500 - PCL XL Error

So we have this HP Color Laserjet 3500. Everything seems OK. Then, when trying to print from a particular program (based on Crystal Reports), we get a print out with the following:

PCL XL error

          Subsystem:       Kernal

          Error:               ColorSpaceMismatch

          Operator:         VendorUnique

          Position:           9

OK, google time. Whoa, a lot of people with this issue. Use the PCL driver, Use the PS driver they say.

Yeah.

It turns out, that HP had the brilliant idea (or you did, depending on which way you look at it) to save some money on hardware by using your PC power to do the printing legwork instead of the printer. Well, it SOUNDS good, but it turns out there may be some compatibility issues. 

They call it (maybe others do too, we just standardize on HP printers) Host Based printing. There is no PCL, PCL5, PCL5e, PS, etc, it does magic. Some programs don't like this magic. 

As I searched Internet and found the same problem over and over, with some clever solutions (HP has a "beta" fix to download, use a generic driver, other "thoughtful" solutions) - that did not work for me - I decided to go with a workaround. 

Install PrimoPDF, print to it, let it open after creation, then print. Extra work? Yes, but they did not want to buy a "standard" PDL (I believe it's called) printer with PCL support. 

So I finish uninstalling all the crap I just put on, reboot, Windows finds the printer, I point to the location of the SAME file I used for the initial install, let it finish, test page, and done. 

Just for S!@# and giggles, I had the user try to print again. WTF, it worked! For the love of God do not mess with that printer!

Bottom line - I hate that model now, and if you are having the same issue, load everything (even all the crap you don't need), load the beta fix driver, use the HP uninstaller in the start menu, restart, let windows find it, point to the "host based" driver from the HP website (not the big one, that is the "load everything" one), test page, and give it a shot!

BTW, some details of setup:

Windows XP Pro 32 bit

USB connection

User had local admin rights

- Jeremy

Windows XP Embedded - Does it need Antivirus?

We recently had an outbreak of the Conficker virus. While most of our PC's were protected, we did find some rogue windows devices. A converted picture frame, a recycled PC pointing to an old AV server with outdated definitions, etc.

I also found a PC that is running Windows XP Embedded. The vendor states (they installed it as part of a plotter system) that they never have had a virus on their systems as they do not talk to the Internet.

Well, Conficker spreads via the local LAN via a Windows vulnerability. Normally, our domain PC's are auto patched, but this one is not on our domain. It also does not have antivirus.

So, can it be infected? I googled "windows XP embedded virus" and it seems multiple vendors make products for them, leading me to believe - yes, they can be infected. I also read something about XPe (XP Embedded) having a special EWF - Enhanced Write Filter. The feeling I am getting is that EWF prevents writes to the hard drive. So should that keep if from being infected? Also, did the vendor configure EWF correctly?

Vendor won't let me in to the system to run a scan - don't know what they are afraid of. When I try to boot from a CD with a rescue disk to scan, the system will not accept my "boot from IDE CDROM" selection. Of course the BIOS is password protected.

Any thoughts?

Jeremy