Researchers turn Conficker's own P2P protocol against itself

Symantec, Ron Bowes join forces to detect infected PCs by chatting with worm over P2P

Security researchers have updated a free tool that sniffs out the notorious Conficker worm on infected PCs by using the same peer-to-peer (P2P) protocol the malware relies on to communicate with its hacker masters.

Symantec Corp.'s security intelligence analysis team has worked with Ron Bowes, a contributor to the Nmap scanner, to come up with a way to detect machines infected with Conficker.c and later variants.

Conficker, which exploded onto the Internet in January -- eventually hijacking millions of PCs -- has had several updates since its November 2008 debut. Conficker.c gained the most attention because of an April 1 trigger, the date when it was to switch to a new communications scheme. Several days later, Conficker.c-infected computers were upgraded to the newest version, Conficker.e, which in turn installed the Waledac spam bot and "scareware" software, a fake security program that nags users until they pony up $50 for the useless application.

Nmap 4.85 Beta 8, which was released yesterday, includes a script by Bowes that looks for Conficker based on its P2P ports. Conficker's P2P, which most analysts believe was added as a backup to the HTTP-based command-and-control communications, first appeared in the "c" variant.

"His script goes out and looks for Conficker's [P2P's] listening ports," said Alfred Huger, vice president of Symantec's security response group, "then tries to chat with them. If they respond, the script looks at the replies. We helped him figure out the type of responses he'd get back [from the Conficker bots]."

Symantec relied on data it had collected from Conficker.c-infected machines in its own "honeypot" network, as well as analysis it did on the worm, to provide Bowes with information. "The author of Conficker obfuscated the peer-to-peer code pretty rigorously," said Huger. "The way the author implemented it was clever, but not earth-shattering."

Although Nmap can detect Conficker.c on computers connected to a company's network, it's not foolproof, both Huger and Bowes warned.

"Network scanning is an imperfect science at best," said Huger. "And once a likely find [of Conficker] is made, you have to verify that by putting hands on the machine." The next step would be to deploy one of the many Conficker cleaning tools that security companies, Symantec included, offer free of charge.

In a blog post, Bowes also cautioned that the script isn't 100% reliable, saying that firewalls and port filters could stymie detection, and PCs set to block Windows' ports would stop the scanner. He provided work-arounds for some of those situations.

Nmap 4.85 Beta 8 contains a slew of other improvements, according to an entry on the Nmap development mailing list, and the scanner has been placed on a mirrored site so infected machines can download the tool. Conficker.c added several new domains to its internal block list, including nmap.org.

"The new script is very cool -- and very needed, especially in places where an administrator doesn't have easy access to all the machines," Huger noted.

Nmap 4.85 Beta 8 can be downloaded from the Nmap site.

This isn't the first time that researchers have used Conficker's own code against it. Late last month, three researchers, including Dan Kaminsky of DNS bug fame, discovered a flaw in the worm that made it much easier to detect infected PCs.

Tags symantecconfickerP2Pmalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?