1、 Downadup/Conficker Conficker主要利用Windows操作系统MS08-067漏洞来传播，同时也能借助任何有USB接口的硬件设备来感染，在2008年被发现，并在微软的MS08-067补丁中被修复。但直到如今，仍有不少局域网中发现有Downadup蠕虫病毒感染，有些杀毒软件仍然不给力，无法找到病毒源头，导致在某些机器上不断地重复发现Downadup报告，但无法删除。 2 、Nmap脚本引擎smb-check-vulns.nse Nmap提供了强大的脚本引擎(NSE)，以支持通过Lua编程来扩展Nmap的功能。除了常见的主机发现、端口扫描等功能外，脚本引擎扩展了其他更加多样化的功能，如检查常见的漏洞信息以及本片文章提到的检查蠕虫感染功能。 smb-check-vulns脚本的介绍和源码下载可以在nmap.org官网上获得： http://nmap.org/nsedoc/scripts/smb-check-vulns.html smb-check-vulns脚本可以查看以下漏洞： MS08-067, a Windows RPC vulnerability Conficker, an infection by the Conficker worm Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in Windows 2000 SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497) MS06-025, a Windows Ras RPC service vulnerability MS07-029, a Windows Dns Server RPC service vulnerability 其中关于Conficker的检查，mnap是基于以下的这个Conficker扫描器 http://net.cs.uni-bonn.de/wg/cs/applications/containing-conficker 3、 Nmap扫描实例 此工具用来检测远程可疑源的具体使用命令如下： nmap -PN -T4 -p139,445 -n -v --script smb-check-vulns,smb-os-discovery--script-args safe=1 [targetnetworks] 如： nmap -PN -T4 -p139,445 -n -v --script smb-check-vulns, smb-os-discovery--script-args safe=1 100.10.1.* 方便起见，可以将其导出到一个文件中： nmap -PN -T4 -p139,445 -n -v --scriptsmb-check-vulns,smb-os-discovery --script-args safe=1 [targetnetworks] >nmap_result.log 从日志里面找关键字，可以确定病毒源的位置。 … Host 172.30.160.22 is up (0.00s latency). Interesting ports on 172.30.160.22: PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:E0:4C:1E:22:B8 (RealtekSemiconductor) Host script results: | smb-os-discovery: Windows XP | LAN Manager: Windows 2000 LAN Manager | Name: WORKGROUP\WH013 |_ System time: 2009-12-21 17:10:57 UTC+8 | smb-check-vulns: | MS08-067: CHECK DISABLED (remove 'safe=1'argument to run) | Conficker: UNKNOWN; not Windows, orWindows with disabled browser service (CLEAN); or Windows with crashed browserservice (possibly INFECTED). | | If you know the remote system isWindows, try rebooting it and scanning | |_ again. (ErrorNT_STATUS_OBJECT_NAME_NOT_FOUND) |_ regsvc DoS: CHECK DISABLED (add'--script-args=unsafe=1' to run) … Host 172.30.160.40 is up (0.00s latency). Interesting ports on 172.30.160.40: PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:16:76:A8:D4:1F (Intel) Host script results: | smb-os-discovery: Windows XP | LAN Manager: Windows 2000 LAN Manager | Name: SZWH\WH-ASP-04 |_ System time: 2009-12-21 17:09:06 UTC+8 | smb-check-vulns: | MS08-067: CHECK DISABLED (remove 'safe=1'argument to run) | Conficker: Likely INFECTED (by Conficker.C or lower) |_ regsvc DoS: CHECK DISABLED (add'--script-args=unsafe=1' to run)I