|
NAMEconficker-c - SiLK plug-in to detect traffic matching the Conficker C wormSYNOPSISrwfilter --plugin=conficker-c.so [--conficker-seed=SEED] [--s-conficker] [--d-conficker] [--a-conficker] ... rwcut --plugin=conficker-c.so [--conficker-seed=SEED] [--fields=...,sconficker,dconficker,...] ... rwgroup --plugin=conficker-c.so [--conficker-seed=SEED] [--fields=...,sconficker,dconficker,...] ... rwsort --plugin=conficker-c.so [--conficker-seed=SEED] [--fields=...,sconficker,dconficker,...] ... rwstats --plugin=conficker-c.so [--conficker-seed=SEED] [--fields=...,sconficker,dconficker,...] ... rwuniq --plugin=conficker-c.so [--conficker-seed=SEED] [--fields=...,sconficker,dconficker,...] ... DESCRIPTIONThe conficker-c plug-in was written in March 2009 to detect traffic that matches the signature of the .C variant of the Conficker worm.The .C variant of the Conficker worm (<https://www.us-cert.gov/ncas/alerts/TA09-088A>) contains a peer-to-peer scanning thread which generates a large amount of UDP high-port to high-port packets. SRI International provides a detailed analysis report on the worm's behavior which describes features of the peer-to-peer network traffic. (<http://www.csl.sri.com/users/vinod/papers/Conficker/addendumC/index.html>) This report hints at "...a unique mapping from IP address to the two TCP and UDP listen ports in each host." This type of behavior is also ideally suited for flow analysis, and the conficker-c plug-in emulates the same functionality. When loaded into either rwfilter(1) or rwcut(1) using the --plugin switch, the plug-in adds fields for detecting and filtering Conficker.C traffic with a limited number of false positives. The conficker-c plug-in identifies the targets of Conficker.C scanning. When a Conficker.C infected machine starts scanning for other peers, it targets a somewhat random port on the destination host according to a function f() where dPort = f (dIP, seed) sPort = f (sIP, seed) and the seed is computed from the function g(): seed = g (start_time) The plug-in implements that function and can check whether the computed source or destination port matches the observed value of the port. If the source or destination matches, that indicates that the destination or source, respectively, may be infected. To compute the "seed" argument to the function, the plug-in computes the number of weeks between 1970-Jan-05 and the flow record's start time. When the flow's start time is within a few minutes of the week boundary, the plug-in computes ports using both possible values for the seed. The plug-in provides the --conficker-seed command line switch to allow selection of a different seed. The plug-in ignores any non-UDP/non-TCP traffic. OPTIONSOption names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.The conficker-c plug-in provides the following options to the indicated applications. rwfilter SwitchesThe conficker-c plug-in adds the following switches to rwfilter (1). You may check for Conficker.C traffic on a particular side of the flow, or for both sides:
rwcut, rwgroup, rwsort, rwstats, and rwuniq SwitchesThe conficker-c plug-in augments the switches of rwcut(1), rwgroup(1), rwsort(1), rwstats(1), and rwuniq(1) as follows:
EXAMPLESIn the following examples, the dollar sign ("$") represents the shell prompt. The text after the dollar sign represents the command line. Lines have been wrapped for improved readability, and the back slash ("\") is used to indicate a wrapped line.This example uses contrived data to test that the plug-in works. Values that are known to match the worm are piped into rwtuc(1) to create a SiLK Flow record. That record is piped into rwfilter, which matches the record. That result is piped into rwcut to display the result: $ echo '17|10.10.10.10|23332|192.168.192.168|16514|' \ | rwtuc --fields=protocol,sip,sport,dip,dport \ | rwfilter --plugin=conficker.so --conficker-seed=8888 \ --s-conficker --protocol=17 --print-volume \ --pass=stdout stdin \ | rwcut --plugin=conficker.so --conficker-seed=8888 \ --fields=sip,sport,sconficker,dip,dport,dconficker \ --ipv6-policy=ignore | Recs | Packets | Bytes | Files | Total| 1| 1| 1| 1| Pass | 1| 1| 1| | Fail | 0| 0| 0| | sIP|sPort|scon| dIP|dPort|dcon| 10.10.10.10|23332| 1|192.168.192.168|16514| 1| To find infected hosts on your network, you typically want to look at outgoing traffic and find instances where source hosts are targeting conficker destination IP and port pairs, so you would use the --d-conficker switch on rwfilter. To further refine the query and eliminate most false positives, it is useful to eliminate common service ports (the packets from a scanner have sport=ephemeral, dport=conficker-chosen): $ rwfilter --plugin=conficker-c.so --d-conficker \ --sport=1024- --dport=1024- \ --start-date=2009/05/01 --end-date=2009/05/31 --type=out \ --pass=stdout \ | rwuniq --fields=sip --flows=10 --sort-output There may be false positives from VPN traffic. Depending on your network, you might want to filter traffic on UDP 500 or 10000. ENVIRONMENT
FILES
SEE ALSOrwfilter(1), rwcut(1), rwgroup(1), rwsort(1), rwstats(1), rwuniq(1), rwtuc(1), silk(7)
Visit the GSP FreeBSD Man Page Interface. |