Conficker scanner - using Bonn University's scs in a Windows environment

This post is based on information in ZD Net's article this morning
http://blogs.zdnet.com/security/?p=3043&tag=nl.e589

I followed these steps successfully on two machines, a Windows XP SP3 workstation and Windows 2003 SP2 server, and scanned three subnets in a few minutes.

Overview of steps:

• download and install ActiveState Win32 Python
• download python Crypto module
• download and install python Impacket module
• download, extract and run scs.py

create a working directory for downloads and builds. I used
c:\Download\ConfickerTools

ActiveState python
- download the .msi into the working directory
http://downloads.activestate.com/ActivePython/windows/2.6/ActivePython-2.6.1.1-win32-x86.msi
- install the .msi
- accept the defaults (it will install in C:\Python26)

python Crypto module
- make sure Python is installed first
- download into the working directory
http://www.voidspace.org.uk/downloads/pycrypto-2.0.1.win32-py2.6.exe
- run the executable. it should find the Python26 installation and install there

python Impacket module
- download into the working directory
http://oss.coresecurity.com/repo/Impacket-0.9.6.0.zip
- extract the .zip file, preserving the directory structure
- open a command prompt
- change into the extracted directory,
e.g., cd C:\Download\ConfickerTools\Impacket-0.9.6.0
- at the prompt enter
python setup.py install
python will build the module and install it into its library directory

simple conficker scanner (scs)
download from Bonn university, Germany, into the working directory
http://iv.cs.uni-bonn.de/uploads/media/scs.zip
extract
run the tool using the start and end addresses on your LAN, and redirect the output to a text file
e.g.
scs.py 192.168.1.1 192.168.1.254 > scs-out_192-168-1-0.txt

examine the output file for any infected machines