Researchers turn Conficker's own P2P protocol against itself
- — 23 April, 2009 14:51
Security researchers have updated a free tool that sniffs out the notorious Conficker worm on infected PCs by using the same peer-to-peer (P2P) protocol the malware relies on to communicate with its hacker masters.
Symantec Corp.'s security intelligence analysis team has worked with Ron Bowes, a contributor to the Nmap scanner, to come up with a way to detect machines infected with Conficker.c and later variants.
Conficker, which exploded onto the Internet in January -- eventually hijacking millions of PCs -- has had several updates since its November 2008 debut. Conficker.c gained the most attention because of an April 1 trigger, the date when it was to switch to a new communications scheme. Several days later, Conficker.c-infected computers were upgraded to the newest version, Conficker.e, which in turn installed the Waledac spam bot and "scareware" software, a fake security program that nags users until they pony up $50 for the useless application.
Nmap 4.85 Beta 8, which was released yesterday, includes a script by Bowes that looks for Conficker based on its P2P ports. Conficker's P2P, which most analysts believe was added as a backup to the HTTP-based command-and-control communications, first appeared in the "c" variant.
"His script goes out and looks for Conficker's [P2P's] listening ports," said Alfred Huger, vice president of Symantec's security response group, "then tries to chat with them. If they respond, the script looks at the replies. We helped him figure out the type of responses he'd get back [from the Conficker bots]."
Symantec relied on data it had collected from Conficker.c-infected machines in its own "honeypot" network, as well as analysis it did on the worm, to provide Bowes with information. "The author of Conficker obfuscated the peer-to-peer code pretty rigorously," said Huger. "The way the author implemented it was clever, but not earth-shattering."
Although Nmap can detect Conficker.c on computers connected to a company's network, it's not foolproof, both Huger and Bowes warned.
"Network scanning is an imperfect science at best," said Huger. "And once a likely find [of Conficker] is made, you have to verify that by putting hands on the machine." The next step would be to deploy one of the many Conficker cleaning tools that security companies, Symantec included, offer free of charge.
In a blog post, Bowes also cautioned that the script isn't 100% reliable, saying that firewalls and port filters could stymie detection, and PCs set to block Windows' ports would stop the scanner. He provided work-arounds for some of those situations.
Nmap 4.85 Beta 8 contains a slew of other improvements, according to an entry on the Nmap development mailing list, and the scanner has been placed on a mirrored site so infected machines can download the tool. Conficker.c added several new domains to its internal block list, including nmap.org.
"The new script is very cool -- and very needed, especially in places where an administrator doesn't have easy access to all the machines," Huger noted.
Nmap 4.85 Beta 8 can be downloaded from the Nmap site.
This isn't the first time that researchers have used Conficker's own code against it. Late last month, three researchers, including Dan Kaminsky of DNS bug fame, discovered a flaw in the worm that made it much easier to detect infected PCs.