Dear Customer,
On Monday March 30, 2009 the QualysGuard platforms added remote detection of machines infected with the Conficker and W32.Downadup worms.
You can search for QID:1227 using the knowledgebase in the QualysGuard UI. You can scan for QID:1227 using the default scan policy or for the fastest results it is recommended that you use saved searches and scan profiles to run a scan that checks for only this one QID. Use the following steps to do this:
- Create Saved Search
Use Search List in the tools area to create a new static search list. In the pop up window type in a Title for your saved search such as QID 1227 Remote Conficker Check. Then click on the select button to bring up a list of QID's to search from. Scroll through the list or use search to find QID: 1227, once you have found it tick the box and click ok to add it to the search list. Once the QID has been added to the search list click on save to save the search list.
- Create Option Profile
Use Option Profiles in the tools area to create a new option profile. In the pop up window type in a title for your option profile, and click on the advanced button. In the Vulnerability Detection area select custom and then add lists to add the saved search list you just created to the list of QID to be scanned. It is also recommended that you leave the "Include Basic host information checks" box ticked. This will add valuable remediation data, such as Netbios name to the results file. Once you have done this click on save to save the option profile. NOTE: For increased performance, you can limit TCP ports to 135, 139, 445, and UDP to 137. To do this use the ports dialog area and select none for TCP and UDP. Then tick the additional box for TCP and type in 135, 139, 445, and the additional box for UDP and type in 137.
- Create & Run Scan
Use Scan in the navigation area to create a new vulnerability scan. In the pop up window type in a title for your scan job, select the options profile you just created, fill in the rest of the information and then click on the launch button to start your scan. This same process can be used to schedule a scan for this remote detection of the Conficker worm as well.
- Run Report
Use Scan in the navigation area to monitor the progress of your scan. Once the scan is complete click on the view icon to get the list of infected machines. Alternatively, you can build a report template that uses the same saved search created earlier to generate a report that lists all the systems infected by Conficker.
With the addition of this check QualysGuard now has three different methods of detection:
- QID: 1227 - Conficker Worm Detected Remotely
This QID added on March 30 2009. This QID does not require authentication to determine if scan targets are infected with the Conficker worm.
- QID: 1225 - W32.Downadup.B/Conficker.C Worm Detected via Authentication
This QID added on 9th Jan 2009. This QID requires authentication to determine if the scan targets are infected with the Conficker worm.
- QID: 90464 - Microsoft Windows Server Service Could Allow Remote Code Execution (MS08-67)
This QID determines if the machine is vulnerable to the underlying flaw that Conficker worm exploits. It will be posted irrespective of whether the machine is currently infected or not. This QID has authenticated as well as non-authenticated signatures. If authentication credentials are not provided it can determine with special RPC calls if the machine is vulnerable. If credentials are provided it will look into the file versions and registry keys.
If you have further questions regarding this, please consult your Qualys Technical Account Manager or
Qualys' Technical Support Department by phone at +1.866.801.6161 or by email at support@qualys.com.
We thank you for your continued support.
Qualys Customer Advocacy Group
