Researchers turn Conficker's own P2P protocol against itself

Symantec, Ron Bowes join forces to detect infected PCs by chatting with worm over P2P

Security researchers have updated a free tool that sniffs out the notorious Conficker worm on infected PCs by using the same peer-to-peer (P2P) protocol the malware relies on to communicate with its hacker masters.

Symantec Corp.'s security intelligence analysis team has worked with Ron Bowes, a contributor to the Nmap scanner, to come up with a way to detect machines infected with Conficker.c and later variants.

Conficker, which exploded onto the Internet in January -- eventually hijacking millions of PCs -- has had several updates since its November 2008 debut. Conficker.c gained the most attention because of an April 1 trigger, the date when it was to switch to a new communications scheme. Several days later, Conficker.c-infected computers were upgraded to the newest version, Conficker.e, which in turn installed the Waledac spam bot and "scareware" software, a fake security program that nags users until they pony up $50 for the useless application.

Nmap 4.85 Beta 8, which was released yesterday, includes a script by Bowes that looks for Conficker based on its P2P ports. Conficker's P2P, which most analysts believe was added as a backup to the HTTP-based command-and-control communications, first appeared in the "c" variant.

"His script goes out and looks for Conficker's [P2P's] listening ports," said Alfred Huger, vice president of Symantec's security response group, "then tries to chat with them. If they respond, the script looks at the replies. We helped him figure out the type of responses he'd get back [from the Conficker bots]."

Symantec relied on data it had collected from Conficker.c-infected machines in its own "honeypot" network, as well as analysis it did on the worm, to provide Bowes with information. "The author of Conficker obfuscated the peer-to-peer code pretty rigorously," said Huger. "The way the author implemented it was clever, but not earth-shattering."

Although Nmap can detect Conficker.c on computers connected to a company's network, it's not foolproof, both Huger and Bowes warned.

"Network scanning is an imperfect science at best," said Huger. "And once a likely find [of Conficker] is made, you have to verify that by putting hands on the machine." The next step would be to deploy one of the many Conficker cleaning tools that security companies, Symantec included, offer free of charge.

In a blog post, Bowes also cautioned that the script isn't 100% reliable, saying that firewalls and port filters could stymie detection, and PCs set to block Windows' ports would stop the scanner. He provided work-arounds for some of those situations.

Nmap 4.85 Beta 8 contains a slew of other improvements, according to an entry on the Nmap development mailing list, and the scanner has been placed on a mirrored site so infected machines can download the tool. Conficker.c added several new domains to its internal block list, including nmap.org.

"The new script is very cool -- and very needed, especially in places where an administrator doesn't have easy access to all the machines," Huger noted.

Nmap 4.85 Beta 8 can be downloaded from the Nmap site.

This isn't the first time that researchers have used Conficker's own code against it. Late last month, three researchers, including Dan Kaminsky of DNS bug fame, discovered a flaw in the worm that made it much easier to detect infected PCs.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwareP2Psymantecconficker

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?