conficker-c - SiLK plug-in to detect traffic matching the Conficker C worm
rwfilter --plugin=conficker-c.so [--conficker-seed=SEED]
[--s-conficker] [--d-conficker] [--a-conficker] ...
rwcut --plugin=conficker-c.so [--conficker-seed=SEED]
[--fields=...,sconficker,dconficker,...] ...
rwgroup --plugin=conficker-c.so [--conficker-seed=SEED]
[--fields=...,sconficker,dconficker,...] ...
rwsort --plugin=conficker-c.so [--conficker-seed=SEED]
[--fields=...,sconficker,dconficker,...] ...
rwstats --plugin=conficker-c.so [--conficker-seed=SEED]
[--fields=...,sconficker,dconficker,...] ...
rwuniq --plugin=conficker-c.so [--conficker-seed=SEED]
[--fields=...,sconficker,dconficker,...] ...
The conficker-c plug-in was written in March 2009 to detect traffic that matches the signature of the .C variant of the Conficker worm.
The .C variant of the Conficker worm (https://www.us-cert.gov/ncas/alerts/TA09-088A) contains a peer-to-peer scanning thread which generates a large amount of UDP high-port to high-port packets. SRI International provides a detailed analysis report on the worm's behavior which describes features of the peer-to-peer network traffic. (http://www.csl.sri.com/users/vinod/papers/Conficker/addendumC/index.html) This report hints at "...a unique mapping from IP address to the two TCP and UDP listen ports in each host."
This type of behavior is also ideally suited for flow analysis, and the conficker-c plug-in emulates the same functionality. When loaded into either rwfilter(1) or rwcut(1) using the --plugin switch, the plug-in adds fields for detecting and filtering Conficker.C traffic with a limited number of false positives.
The conficker-c plug-in identifies the targets of Conficker.C scanning. When a Conficker.C infected machine starts scanning for other peers, it targets a somewhat random port on the destination host according to a function f() where
dPort = f (dIP, seed)
sPort = f (sIP, seed)
and the seed is computed from the function g():
seed = g (start_time)
The plug-in implements that function and can check whether the computed source or destination port matches the observed value of the port. If the source or destination matches, that indicates that the destination or source, respectively, may be infected.
To compute the seed
argument to the function, the plug-in computes the number of weeks between 1970-Jan-05 and the flow record's start time. When the flow's start time is within a few minutes of the week boundary, the plug-in computes ports using both possible values for the seed. The plug-in provides the --conficker-seed command line switch to allow selection of a different seed.
The plug-in ignores any non-UDP/non-TCP traffic.
Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.
The conficker-c plug-in provides the following options to the indicated applications.
The conficker-c plug-in adds the following switches to rwfilter(1). You may check for Conficker.C traffic on a particular side of the flow, or for both sides:
Pass the flow record if the source IP and port match those targeted by Conficker.C (indicating that the destination IP may be infected).
Pass the flow record if the destination IP and port match those targeted by Conficker.C (indicating that the source IP may be infected).
Pass the flow record if either the source IP and port or the destination IP and port match those targeted by Conficker.C.
Use the value SEED to seed Conficker.C checker. Typically the flow's start time is used as the basis for the seed.
The conficker-c plug-in augments the switches of rwcut(1), rwgroup(1), rwsort(1), rwstats(1), and rwuniq(1) as follows:
FIELDS refers to a list of fields to use for the operation. The conficker-c plug-in adds the following fields:
Show whether the source IP and source port combination match the values targeted by Conficker.C, which indicate that the destination IP may be infected. This field contains a 1
when values match and a 0
when they do not.
Show whether the destination IP and destination port combination match the values targeted by Conficker.C, which indicate that the source IP may be infected. This field contains a 1
when values match and a 0
when they do not.
Use the value SEED to seed Conficker.C checker. Typically the flow's start time is used as the basis for the seed.
In the following examples, the dollar sign ($
) represents the shell prompt. The text after the dollar sign represents the command line. Lines have been wrapped for improved readability, and the back slash (\
) is used to indicate a wrapped line.
This example uses contrived data to test that the plug-in works. Values that are known to match the worm are piped into rwtuc(1) to create a SiLK Flow record. That record is piped into rwfilter, which matches the record. That result is piped into rwcut to display the result:
$ echo '17|10.10.10.10|23332|192.168.192.168|16514|' \
| rwtuc --fields=protocol,sip,sport,dip,dport \
| rwfilter --plugin=conficker.so --conficker-seed=8888 \
--s-conficker --protocol=17 --print-volume \
--pass=stdout stdin \
| rwcut --plugin=conficker.so --conficker-seed=8888 \
--fields=sip,sport,sconficker,dip,dport,dconficker \
--ipv6-policy=ignore
| Recs | Packets | Bytes | Files |
Total| 1| 1| 1| 1|
Pass | 1| 1| 1| |
Fail | 0| 0| 0| |
sIP|sPort|scon| dIP|dPort|dcon|
10.10.10.10|23332| 1|192.168.192.168|16514| 1|
To find infected hosts on your network, you typically want to look at outgoing traffic and find instances where source hosts are targeting conficker destination IP and port pairs, so you would use the --d-conficker switch on rwfilter.
To further refine the query and eliminate most false positives, it is useful to eliminate common service ports (the packets from a scanner have sport=ephemeral, dport=conficker-chosen):
$ rwfilter --plugin=conficker-c.so --d-conficker \
--sport=1024- --dport=1024- \
--start-date=2009/05/01 --end-date=2009/05/31 --type=out \
--pass=stdout \
| rwuniq --fields=sip --flows=10 --sort-output
There may be false positives from VPN traffic. Depending on your network, you might want to filter traffic on UDP 500 or 10000.
This environment variable gives the root of the install tree. When searching for plug-ins, a SiLK application may use this environment variable. See the "FILES" section for details.
When set to 1, the SiLK applications print status messages to the standard error as they attempt to find and open the conficker-c.so plug-in. A typical invocation using this variable is:
env SILK_PLUGIN_DEBUG=1 rwcut --plugin=conficker-c.so --version
Possible locations for the plug-in.
rwfilter(1), rwcut(1), rwgroup(1), rwsort(1), rwstats(1), rwuniq(1), rwtuc(1), silk(7)