Secure Access / Login

Previous Question | Back to Intrusion Detection FAQ Home

Jim McMillan
November 2009

Conficker took the Internet by storm, and surprise, in late 2008. SRI International reported they had not seen such a dominating outbreak since
Sasser (2004), and such poor AV detection since the Storm worm (2007). Today, Conficker, also known as Downadup, has five known variants
(Conficker.A through Conficker.E).
The original Conficker worm, known as Conficker.A, started making its way around the Internet, by infecting Microsoft Windows hosts, in
November 2008. It propagates by infecting other computers across the network. Infection is possible due to a vulnerability in the Windows
Server Service as outlined and patched in Microsoft Security Bulletin MS08-067. On infected computers the payload opens a web server to
assist in the worm's distribution. It also resets the restore point and downloads files from random URLs.
In December 2008 another variant, Conficker.B, was detected. In addition to the propagation and payload of Conficker.A, it came with improved
features. Conficker.B gains the ability to propagate via default network shares (such as ADMIN$) with weak passwords, mapped network drives
and removable drives. It uses these paths to spread by creating additional methods of being executed. The additional payload modifies system
settings, terminates services and blocks security related websites to avoid detection.
The next variant, Conficker.C, was discovered in February 2009. This variant utilizes the same propagation methods as the A and B variants. In
addition to the payloads of the A and B variants, the C variant also downloads files with peer-to-peer communications and it adds a check to
validate the content of what it downloads.
The last two variants, Conficker.D (Mar. 2009) and Conficker.E (Apr. 2009), are primarily used to update previous versions of itself. As far as
payload, they just add to previous defenses and source URLs for downloading files. Interestingly, Conficker.E added a self termination routine
to terminate itself on May 3, 2009. However, it leaves its DLL payload in place so it can still participate in peer-to-peer communication.

NMap is a very powerful, and portable, tool that can be used for network enumeration, mapping and auditing. It is very beneficial for many
security tasks. NMap is capable of network mapping, OS identification, firewall auditing, vulnerability assessments, and much more. One of the
features we are going to take advantage of is the NMap Scripting Engine (NSE).
NSE allows us to write and share scripts that will automate NMap tasks and functionality. Scripts for NSE are currently written in the Lua
programming language and are identifiable with an .NSE extension. We are not going to address script writing here, but we are going to take
advantage of two NSE scripts written specifically for detecting hosts infected with Conficker. For Conficker detection we are interested in two
scripts, smb-check-vulns.nse and p2p-conficker.nse.
In NMap 4.85 BETA5, Conficker detection was added to the smb-check-vulns.nse script, based on the work of Felix Leder and Tillman Werner
at the University of Bonn.
With this new script functionality, we gained the ability to scan our networks for Conficker with a simple NMap command, such as:
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [target networks]

As Conficker matured, so did NMaps ability to detect it. In NMap 4.85 BETA6, a few bugs were fixed with the detection script. In BETA7, the
false negative rate was reduced and a few more common errors were fixed. NMap became very popular and effective in the detection of
Conficker. So popular that Conficker was programmed to ban access to NMap's website and prevent detection by NSE scripts.
In response, NMap 4.85 BETA8 was released. In this version, a script called p2p-conficker.nse was introduced to detect the Conficker

peer-to-peer functionality. The checks performed by the smb-check-vulns.nse script were changed so Conficker's prevention techniques were
foiled. And some functionality was enhanced to improve performance. Two new commands, as follows, came out of this update:
For a quicker scan, run:
nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args checkconficker=1,safe=1 -T4 [target networks]

For a more comprehensive scan, run:

Since NMap Beta8 and the fall off of Conficker variants, there has not been much need for updates in NMap detection. However, with variants
of Conficker still in existence, scanning should still be performed to eradicate the worm. As with any defense-in-depth security architecture,
keeping our hosts patched and malware free is an important part of our security strategy.

Porras, P, Hassen, S, & Yegneswaran, V. (2009, February 04). An Analysis of conficker's logic and rendezvous points. Retrieved from
http://mtc.sri.com/Conficker
Microsoft (2009, January 08). Win32/conficker. Retrieved from http://www.microsoft.com/security/portal/Threat/Encyclopedia
/Entry.aspx?Name=Win32%2FConficker
Insecure.Org (2009, October). Nmap change log. Retrieved from http://nmap.org/changelog.html
Insecure.Org (2009, July 16). Nmap 5.00 released. Retrieved from http://nmap.org/5/
Insecure.Org (n.d.). Chapter 9. nmap scripting engine. Retrieved from http://nmap.org/book/nse.html
Insecure.Org (n.d.). Script smb-check-vulns.nse. Retrieved from http://nmap.org/nsedoc/scripts/smb-check-vulns.html
Insecure.Org (n.d.). Script p2p-conficker.nse. Retrieved from http://nmap.org/nsedoc/scripts/p2p-conficker.html
Leder, F, & Werner, T. (2009, June 16). Containing conficker. Retrieved from http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker
Previous Question | Back to Intrusion Detection FAQ Home

Free and Open Source Project Management

Upcoming #SANSWebcast: Learn what the

By Robert Comella

February 8, 2014 - 5:00 AM

Using Open Source Reconnaissance Tools for

SANS Instructor Justin Searle @meeas will

By Susanne Young

February 7, 2014 - 6:02 PM

An Early Malware Detection, Correlation, and

Upcoming #SANSwebcast 2/12/14: Survey

By Yaser Mansour

February 7, 2014 - 4:34 PM

Tel +65 69 339 540

asiapacific@sans.org

"It has really been an eye opener concerning the depth of

"It was a great learning experience that helped open my eyes

security training & awareness that SANS has to offer."

wider. The instructor's knowledge was fantastic."

- Michael Hall, Drivesavers

- Manuja Wikesekera, Melbourne Cricket Club

Find Training

"SANS always provides you w

security profession

- Rasik V

Live Training

Privacy Policy

Online Training

Progra

Trademark Usage Policy

Credit