Last Updated: 2009-01-26 15:45:54 UTC
by Patrick Nolan (Version: 1)
Eric Chien of Symantec has been blogging some advanced analysis of Conficker/Downadup.
Eric says "Downadup attempts four different scans that are repeated in an infinite loop. It scans for machines on the same subnet; machines it has successfully infected previously; machines nearby those already infected; and randomly selected machines".
Reading the description of one scan, he says "First, Downadup sequentially scans all the IPs in the same subnet of the infected machine, starting from the first IP in the subnet. This can include multiple subnets for multi-homed machines (machines with more than one IP address)".
Firewall log analysis that matches Eric's description show the the scan starts at x.x.x.0 and goes through x.x.x.254, and there is exactly 4 seconds between each IP's scan. YMMV, if you have information on scan rates of the four components please submit them.
Eric Chien's real teaser is at the end, where he says "many infected machines are normally not contactable from external machines. Downadup goes to great lengths to bypass these issues. We’ll investigate these techniques in a future blog article in this W32.Downadup series". I'm sure many of you have documented a number of Conficker/Downadup network anomolies, including pure information sharing between previously infected & infected systems, via SMB NetServerEnum2, containing host names, and I hope Eric's analysis gets into this behavior in-depth. I am looking forward to Eric's next post, and I'm sure many others are too.
Great work Eric!