The cannonical version of the conficker plugin is now distributed with the SiLK source code and can be enabled using the "--plugin" option with rwfilter and rwsort commands. For help on the plugin, type
1/25/2010: There was an incompatibility between the original conficker.c plugin available on this wiki page and SiLK 2.x that would cause the plugin to be silently ignored when used in rwfilter expressions. The attached source code has been updated.
The .C variant of the Conficker worm contains a peer-to-peer scanning thread which generates a large amount of UDP high-port to high-port packets. SRI has provided a rather nice detailed analysis report on how the worm behaves, and describes features of the peer-to-peer network traffic. This report hints at "...a unique mapping from IP address to the two TCP and UDP listen ports in each host." The actual function can be found in their Conficker C Snort Plugin writeup.
This type of behavior is also ideally suited for flow analysis, so we've put together a SiLK plugin that emulates the same functionality. When compiled and added to your rwfilter or rwcut commands using the --dynamic-library argument, the plugin adds fields for detecting and filtering conficker.c traffic with a limited amount of false positives.
Building the Plugin
In order to build the plugin, first download the source code to a local file titled conficker.c. Assuming your include files are installed in the /usr/local/include/silk directory, compile the plugin under Linux with the following command:
To compile it under Mac OS X, use the following command:
Verify the plugin by generating some sample data with rwtuc, filtering it with the plugin, and printing it with rwcut. Here's an example:
Using the Plugin
The plugin operates on each flow's source and/or destination address-port relationship (keep in mind that an infected host sends traffic to a conficker-flagged IP/port pair, so when looking for infected sIPs, use the
--d-conficker argument. The function computes a list of four possible conficker ports from the IP address and time of the flow, and then checks to see whether the flow's port matches one of the computed ports. The function uses the number of weeks since 1/5/1970 as a seed; when the flow is within a few minutes of the seed rollover time, it uses both the old seed and the new seed. You can also manually set the seed from a command line switch.
The plugin adds four fields to rwfilter:
Similarly, the function adds two fields and the seed switch to rwcut:
If you have any feedback on conficker flow analysis, please send feedback to email@example.com. Feedback of any type, particularly on coding and other SiLK related issues, is welcome at firstname.lastname@example.org.