tag:blogger.com,1999:blog-31427971224835995802012-02-16T13:07:14.519-08:00Computer Depot Technicianhttp://www.blogger.com/profile/01547626998868436749noreply@blogger.comBlogger11100tag:blogger.com,1999:blog-3142797122483599580.post-23320359743426248082009-04-09T12:09:00.001-07:002009-04-09T12:55:50.205-07:00<p class="callout">On account of the original eye chart at Joe Stewart's site being down, I've taken the liberty of creating this eye chart in replacement.</p><br /><table align="center"> <tbody></tbody><tbody> <tr> <td align="center"><a href="http://www.f-secure.com/"><img src="http://www.f-secure.com/export/system/fsgalleries/thumbnails/thumbnails_112xN/FSC_logo_pos_112x128.jpg" alt="" height="128" width="112" /></a></td> <td align="center"><a href="http://www.secureworks.com/"><img src="http://www.secureworks.com/images/headerlogo.gif" alt="" height="37" width="233" /></a></td> <td align="center"><a href="http://www.trendmicro.com/"><img src="http://us.trendmicro.com/images/common/LogoTrendMicro_3d.gif" alt="" height="45" width="120" /></a></td> </tr> <tr> <td align="center"><a href="http://www.openbsd.org/"><img src="http://eyechart.sie.isc.org/openbsd.jpg" alt="" height="129" width="150" /></a></td> <td align="center"><a href="http://www.linux.org/"><img src="http://149.20.54.68/linux.png" alt="" height="129" width="109" /></a></td> <td align="center"><a href="http://www.freebsd.org/"><img src="http://eyechart.sie.isc.org/freebsd.png" alt="" height="129" width="118" /></a></td> </tr> </tbody> <tbody></tbody></table><br /><h2>How to interpret</h2><br /><table> <tbody></tbody><tbody> <tr align="center"> <td>If you see this above:</td> <td>It probably means this:</td> </tr> <tr> <td align="center">All six images displayed</td> <th align="left">= Normal/Not Infected by Conficker (or using proxy)</th> </tr> <tr> <td align="center">Security/AV logos not displayed</td> <th align="left">= Possibly Infected by Conficker (C variant or greater)</th> </tr> <tr> <td align="center">Some security/AV logos not displayed</td> <th align="left">= Possibly Infected by Conficker B variant</th> </tr> <tr> <td align="center">Lower images don't appear<br />(Tux, blowfish, devil)<br /></td> <th align="left">=<br /><ol><li> Image loading turned off in browser?</li><br /><li>Verification images most likely being DDoSed (attacked by thousands of machines around the globe)</li></ol><br />It's okay, the important part is the top images -- <em>do you see them</em>?</th> </tr> <tr> <td align="center">Any other combination</td> <th align="left">= Poor Internet connection?</th> </tr> </tbody> <tbody></tbody></table><br /><h2>Explanation</h2><br /><p>Conficker (aka Downadup, Kido) is known to block access to over 100 anti-virus and security websites.</p><br /><p>If you are blocked from loading the remote images in the first row of<br />the top table above (AV/security sites) but not blocked from loading<br />the remote images in the second row (websites of alternative operating<br />systems) then your Windows PC may be infected by Conficker (or some<br />other malicious software).</p><br /><p><br />If you can see all six images in both rows of the top table -- or at<br />least the top ones, as the bottom ones seem to be DDoSed at the time -- you are either not infected by Conficker, or you<br />may be using a proxy server, in which case you will not be able to use<br />this test to make an accurate determination, since Conficker will be<br />unable to block you from viewing the AV/security sites.</p><br /><h2>Detecting Conficker on your network through a port scanner</h2><br /><p><a class="external-link" href="http://www.net-security.org/secworld.php?id=7252">Net-Security suggests that</a>, to scan for Conficker, you can a command such as:</p><br /><pre> nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]</pre><br /><h2>Credits<br /></h2><br /><p class="discreet">F-Secure and the F-Secure Logo are trademarks of F-Secure Corporation.<br />SecureWorks and the SecureWorks Logo are registered trademarks of SecureWorks Inc.<br />Trend Micro and the T-Ball logo are trademarks or registered trademarks of Trend Micro Inc.<br /><br />The Conficker Eye Chart is a concept by <a href="http://www.joestewart.org/">Joe Stewart</a>.<br /><br />This derivative work was set up to help Joe Stewart's efforts.<br /><a href="http://www.gnu.org/copyleft/">Copyleft</a> 2009.</p><br /><p class="callout"><br /></p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3142797122483599580-2332035974342624808?l=confikerchart.blogspot.com' alt='' /></div>Computer Depot Technicianhttp://www.blogger.com/profile/01547626998868436749noreply@blogger.com0