How do you know you’re not infected by Conficker?

Conficker is a computer worm targeting the Windows operating system that was first detected in November of last year. Wikipedia explains that Conficker “uses flaws in Windows software to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors.” A recent New York Times article reports that Conficker has more five million computers under its control, with estimates from other sources being much higher.

So, what is Conficker used for? Generating vast amounts of spam? Stealing information like passwords and logins by capturing keystrokes on infected computers? Delivering fake antivirus warnings to trick naive users to pay by credit card to have the infection removed? Researchers speculate that all of the  above may be true. They do agree that the cluster of Conficker-infected computers yields massive, though mostly untapped to date, computer power.

There are two primary steps a network administrator needs to take to detect Conficker: apply filters and isolate data by connection.

Apply Filters: Filters are a powerful tool in any network management/analysis solution. Filters serve a dual purpose by limiting the number of packets targeted for analysis while isolating packets with key characteristics – in this case those characteristics unique to the Conficker worm. Conficker is known to take many forms, with new variants showing up routinely, making detection that much more difficult. Again, filtering is the perfect technique for keeping up with Conficker. Filters are typically easy to construct and even easier to modify, so by investing a few minutes whenever a new strain is identified you can keep your network safe.

Isolate Data by Connection: Conficker is known to use HTTP pulls and P2P push/pull to find peers and move around payloads. By focusing on these specific protocols and relying on characteristics of Conficker, like the use of pseudorandom domains of specific lengths in the case of HTTP and custom UDP protocols in the case of P2P, you can isolate suspect client machines. Filters are again a valuable technique, but since these pseudorandom domains are not known in advance, “negative filtering” is more appropriate. In negative filtering, filters are constructed to filter out all your typical, well-known traffic, leaving only packets of a suspicious nature. With this technique you hope to never see a packet – that means there’s nothing suspicious on your network. 

To be successful in detecting Conficker efficiently, a network admin should be able to automatically extract or fetch network data using one or multiple parameters, such as source/destination IP address, source/destination port, time, date, protocol, string, and more. Each kind of expression (IP, MAC, Protocol, Port, Pattern, Value and Length) should be able to be searched individually or in combination with operators (and, or, not, Group) to extract the required data from gigabytes or even terabytes of captured traffic. Solutions like WildPackets’ OmniPeek Distributed Analysis Suite do just that.

Conficker is out there. Make sure it’s not on your network.

Leave a Reply