Researchers turn Conficker's own P2P protocol against itself

Symantec, Ron Bowes join forces to detect infected PCs by chatting with worm over P2P

Security researchers have updated a free tool that sniffs out the notorious Conficker worm on infected PCs by using the same peer-to-peer (P2P) protocol the malware relies on to communicate with its hacker masters.

Symantec Corp.'s security intelligence analysis team has worked with Ron Bowes, a contributor to the Nmap scanner, to come up with a way to detect machines infected with Conficker.c and later variants.

Conficker, which exploded onto the Internet in January -- eventually hijacking millions of PCs -- has had several updates since its November 2008 debut. Conficker.c gained the most attention because of an April 1 trigger, the date when it was to switch to a new communications scheme. Several days later, Conficker.c-infected computers were upgraded to the newest version, Conficker.e, which in turn installed the Waledac spam bot and "scareware" software, a fake security program that nags users until they pony up $50 for the useless application.

Nmap 4.85 Beta 8, which was released yesterday, includes a script by Bowes that looks for Conficker based on its P2P ports. Conficker's P2P, which most analysts believe was added as a backup to the HTTP-based command-and-control communications, first appeared in the "c" variant.

"His script goes out and looks for Conficker's [P2P's] listening ports," said Alfred Huger, vice president of Symantec's security response group, "then tries to chat with them. If they respond, the script looks at the replies. We helped him figure out the type of responses he'd get back [from the Conficker bots]."

Symantec relied on data it had collected from Conficker.c-infected machines in its own "honeypot" network, as well as analysis it did on the worm, to provide Bowes with information. "The author of Conficker obfuscated the peer-to-peer code pretty rigorously," said Huger. "The way the author implemented it was clever, but not earth-shattering."

Although Nmap can detect Conficker.c on computers connected to a company's network, it's not foolproof, both Huger and Bowes warned.

"Network scanning is an imperfect science at best," said Huger. "And once a likely find [of Conficker] is made, you have to verify that by putting hands on the machine." The next step would be to deploy one of the many Conficker cleaning tools that security companies, Symantec included, offer free of charge.

In a blog post, Bowes also cautioned that the script isn't 100% reliable, saying that firewalls and port filters could stymie detection, and PCs set to block Windows' ports would stop the scanner. He provided work-arounds for some of those situations.

Nmap 4.85 Beta 8 contains a slew of other improvements, according to an entry on the Nmap development mailing list, and the scanner has been placed on a mirrored site so infected machines can download the tool. Conficker.c added several new domains to its internal block list, including nmap.org.

"The new script is very cool -- and very needed, especially in places where an administrator doesn't have easy access to all the machines," Huger noted.

Nmap 4.85 Beta 8 can be downloaded from the Nmap site.

This isn't the first time that researchers have used Conficker's own code against it. Late last month, three researchers, including Dan Kaminsky of DNS bug fame, discovered a flaw in the worm that made it much easier to detect infected PCs.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwareP2Psymantecconficker

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?