CERT
Software Assurance Secure Systems Organizational Security Coordinating Response Training
Skip to end of metadata
Go to start of metadata

The cannonical version of the conficker plugin is now distributed with the SiLK source code and can be enabled using the "--plugin" option with rwfilter and rwsort commands. For help on the plugin, type
rwfilter --plugin=conficker-c.so --help

1/25/2010: There was an incompatibility between the original conficker.c plugin available on this wiki page and SiLK 2.x that would cause the plugin to be silently ignored when used in rwfilter expressions. The attached source code has been updated.

Source Code

conficker.c conficker.so rwfilter and rwcut dynamic library plugin
readme.txt Instructions for compiling and using the plugin

Background

The .C variant of the Conficker worm contains a peer-to-peer scanning thread which generates a large amount of UDP high-port to high-port packets. SRI has provided a rather nice detailed analysis report on how the worm behaves, and describes features of the peer-to-peer network traffic. This report hints at "...a unique mapping from IP address to the two TCP and UDP listen ports in each host." The actual function can be found in their Conficker C Snort Plugin writeup.

This type of behavior is also ideally suited for flow analysis, so we've put together a SiLK plugin that emulates the same functionality.  When compiled and added to your rwfilter or rwcut commands using the --dynamic-library argument, the plugin adds fields for detecting and filtering conficker.c traffic with a limited amount of false positives.

Building the Plugin

In order to build the plugin, first download the source code to a local file titled conficker.c. Assuming your include files are installed in the /usr/local/include/silk directory, compile the plugin under Linux with the following command:

$ gcc -I/usr/local/include/silk -Wall -g \
  -shared -o conficker.so conficker.c

To compile it under Mac OS X, use the following command:

$ gcc -I/usr/local/include/silk -Wall -W -g -O2 \
  -bundle -flat_namespace -undefined suppress \
  -o conficker.so conficker.c

Verify the plugin by generating some sample data with rwtuc, filtering it with the plugin, and printing it with rwcut. Here's an example:

$ echo "17|10.10.10.10|23332|192.168.192.168|16514|" \
  | rwtuc --fields=proto,sip,sport,dip,dport \
  | rwfilter --dyn=conficker.so --input-pipe=stdin \
    --print-vol --pass=stdout --protocol=17 --s-con --conficker-seed=8888 \
  | rwcut --dyn=conficker.so --fields=sip,sport,scon,dip,dport,dcon --conf=8888

     | Recs  | Packets | Bytes | Files |
Total|      1|        1|      1|      1|
Pass |      1|        1|      1|       |
Fail |      0|        0|      0|       |
        sIP|sPort|scon|            dIP|dPort|dcon|
10.10.10.10|23332|   1|192.168.192.168|16514|   1|

Using the Plugin

The plugin operates on each flow's source and/or destination address-port relationship (keep in mind that an infected host sends traffic to a conficker-flagged IP/port pair, so when looking for infected sIPs, use the --d-conficker argument. The function computes a list of four possible conficker ports from the IP address and time of the flow, and then checks to see whether the flow's port matches one of the computed ports. The function uses the number of weeks since 1/5/1970 as a seed; when the flow is within a few minutes of the seed rollover time, it uses both the old seed and the new seed. You can also manually set the seed from a command line switch.

The plugin adds four fields to rwfilter:

$ rwfilter --dynamic=conficker.so --help
[...]
  --a-conficker No Arg. Pass flow if either source or dest looks like Conficker
  --s-conficker No Arg. Pass flow if source looks like Conficker
  --d-conficker No Arg. Pass flow if dest looks like Conficker
  --conficker-seed Req Arg. Use this value to seed conficker checker

Similarly, the function adds two fields and the seed switch to rwcut:

$ rwcut --dynamic=conficker.so --help
[...]
  --fields Req Arg. Field(s) to print. List columns separated by commas:
    (Semicolon separates unique columns. Comma separates column aliases.
    Names can be abbreviated to shortest unique prefix.)
    ...; sconficker; dconficker;
  --conficker-seed Req Arg. Use this value to seed conficker checker

Suggestions? Comments?

If you have any feedback on conficker flow analysis, please send feedback to netsa-contact@cert.org. Feedback of any type, particularly on coding and other SiLK related issues, is welcome at silk-help@cert.org.

  • No labels