Conficker.C Over The Wire
Wednesday April 1, 2009 at 12:14 am CST
Posted by Ravi Balupari
A lot has already been written about Conficker. There had been excellent analysis reports published by SRI, The Honeynet Project and others. Vinay Mahadik and I would like to present some findings on the network aspects of the Conficker.C behavior.
We setup a small testbed that had a machine infected with Conficker.C in a controlled environment; and another Linux box that was customized for packet mangling. This enabled us to intercept or mangle the packets exchanged between the infected machine and the outside world. We monitored the activity of the infected host over several days. We classify the test into two phases: Pre- April 1st and the April 1st phase.
During the Pre- April 1st phase we observed the following.
Conficker.C gets the current time from some of the popular websites. This involves sending a DNS query to the name server to resolve the IP address of the website which is followed by a HTTP GET request to that IP address. The below figure illustrates an attempt made to craigslist.org:
Conficker.C also sends UDP and TCP probes to locate its peers. We observed fairly aggressive and simultaneous UDP & TCP scans. The volume of the UDP scans was particularly high – roughly 2-3 UDP queries per second and seems to taper down as we got closer to April 1st. As most of the randomly generated IP addresses were not live or did not have the targeted ports opened, there were a large number of ICMP messages received – port unreachable , host unreachable, time-to-live exceeded.
“April Fooling Conficker.C”
In the April 1st phase, we intercepted and manipulated the HTTP date check query responses, so that for every website that Conficker.C queries, it gets a response with a date stamp of April 1st, 2009. The local system time was also set to April 1st. By controlling the only 2 date check sources, we managed to fool the malware into thinking it was indeed April 1st! Soon after, we observed numerous DNS queries for the generated domain names.
There were a few instances where Conficker.C did discover peers out there, and exchanged short UDP packets with them over several minutes. We were extremely curious about them.
Vinay Mahadik reverse engineered the 95+ conversations, across some 50K+ UDP peer discovery packets, and found some patterns in both the requests and responses. These patterns are valid for both the pre- April 1st and April 1st UDP scans. Based on this, we have incorporated a new heuristics into our latest Network Security Platform Signature set 5.1.16.15, or 4.1.46.16.
McAfee Network Security Platform (Intrushield) customers can observe the following alerts.
- WORM: W32/Conficker.C Activity Detected
- HTTP: Suspicious Time Check Detected
The figure below illustrates the alert viewer drilled down by a Source IP that has generated the “WORM: W32/Conficker.C Activity Detected ” alert.
(Both Vinay Mahadik and Ravi Balupari have contributed to this research blog)
April 1st, 2009 at 06:49
I noticed that the security certificate at ebay is no longer valid when I was asked to pay for an item. I don’t have any idea if this is related.
April 1st, 2009 at 12:38
[...] Computer Security Research – McAfee Avert Labs Blog [...]
April 1st, 2009 at 13:28
[...] guys at McAfee tricked their version of the virus into thinking it was April 1 yesterday and their conclusion was [...]
April 1st, 2009 at 17:00
[...] Computer Security Research – McAfee Avert Labs Blog This enabled us to intercept or mangle the packets exchanged between the infected machine and the outside world. We monitored the activity of the infected host over several days. We classify the test into two phases: Pre- April 1st and the April 1st phase. (tags: mcafee intrushield ids conficker) [...]
April 1st, 2009 at 17:43
[...] links: Microsoft – Bulletin MS08-076 McAfee Avert Labs – Conficker.C observations with wireshark Wikipedia – April Fools CNET – Conficker silence Vancouver Sun – [...]
April 2nd, 2009 at 08:01
[...] April 1, 6:35 a.m. PDT: McAfee says its Avert Labs is seeing Conficker-infected hosts attempting to call their “master” to get instructions, but those calls are not getting through. “This could be deliberate and the infected hosts may try again later, perhaps over the weekend when people aren’t watching as closely,” McAfee spokesman Joris Evers says. Hear more on this podcast. And for more technical details on what the worm is doing, McAfee Avert Labs has an updated blog posting. [...]
April 11th, 2009 at 05:50
[...] guys at McAfee tricked their version of the virus into thinking it was April 1 yesterday and their conclusion was [...]
April 15th, 2009 at 23:47
[...] April 1, 6:35 a.m. PDT: McAfee says its Avert Labs is seeing Conficker-infected hosts attempting to call their “master” to get instructions, but those calls are not getting through. “This could be deliberate and the infected hosts may try again later, perhaps over the weekend when people aren’t watching as closely,” McAfee spokesman Joris Evers says. Hear more on this podcast. And for more technical details on what the worm is doing, McAfee Avert Labs has an updated blog posting. [...]
April 19th, 2009 at 20:49
[...] guys at McAfee tricked their version of the virus into thinking it was April 1 yesterday and their conclusion was [...]