A lot has already been written about Conficker. There had been excellent analysis reports published by SRI, The Honeynet Project and others. Vinay Mahadik and IÂ would like to present some findings on the network aspects of the Conficker.C behavior.Â
We setup a small testbed that had a machine infected with Conficker.C in a controlled environment; and another Linux box that was customized for packet mangling. This enabled us to intercept or mangle the packets exchanged between the infected machine and the outside world. We monitored the activity of the infected host over several days. We classify the test into two phases: Pre- April 1st and the April 1st phase.
During the Pre- April 1st phase we observed the following.
Conficker.C gets the current time from some of the popular websites. This involves sending a DNS query to the name server to resolve the IP address of the website which is followed by a HTTP GET request to that IP address.Â The belowÂ figure illustrates an attempt made to craigslist.org:
Conficker.C also sends UDP and TCP probes to locate its peers. We observed fairly aggressive and simultaneous UDP & TCP scans. The volume of the UDP scans was particularly high – roughly 2-3 UDP queries per second and seems to taper down as we got closer to April 1st. As most of the randomly generated IP addresses were not live or did not have the targeted ports opened, there were a large number of ICMP messages received – port unreachable , host unreachable, time-to-live exceeded.
“April Fooling Conficker.C”
In the April 1st phase, we intercepted and manipulated the HTTP date check query responses, so that for every website that Conficker.C queries, it gets a response with a date stamp of April 1st, 2009. The local system time was also set to April 1st. By controlling the only 2 date check sources, we managed to fool the malware into thinking it was indeed April 1st! Soon after, we observed numerous DNS queries for the generated domain names.
There were a few instances where Conficker.C did discover peers out there, and exchanged short UDP packets with them over several minutes. We were extremely curious about them.
Vinay Mahadik reverse engineered the 95+ conversations, across some 50K+ UDP peer discovery packets, and found some patterns in both the requests and responses. These patterns are valid for both the pre- April 1st and April 1st UDP scans. Based on this, we have incorporated a new heuristics into our latest Network Security Platform Signature set 220.127.116.11, or 18.104.22.168.
McAfee Network Security Platform (Intrushield) customers can observe the following alerts.
- WORM: W32/Conficker.C Activity Detected
- HTTP: Suspicious Time Check Detected
The figure below illustrates the alert viewer drilled down by a Source IP that has generated the “WORM: W32/Conficker.C Activity Detected ” alert.
Â (Both Vinay Mahadik and Ravi Balupari have contributed to this research blog)