Conficker/Downadup Scanning

Published: 2009-01-26
Last Updated: 2009-01-26 15:45:54 UTC
by Patrick Nolan (Version: 1)
0 comment(s)

Eric Chien of Symantec has been blogging some advanced analysis of Conficker/Downadup.

Downadup: Attempts at Smart Network Scanning

Eric says "Downadup attempts four different scans that are repeated in an infinite loop. It scans for machines on the same subnet; machines it has successfully infected previously; machines nearby those already infected; and randomly selected machines".

Reading the description of one scan, he says "First, Downadup sequentially scans all the IPs in the same subnet of the infected machine, starting from the first IP in the subnet. This can include multiple subnets for multi-homed machines (machines with more than one IP address)".

Firewall log analysis that matches Eric's description show the the scan starts at x.x.x.0 and goes through x.x.x.254, and there is exactly 4 seconds between each IP's scan. YMMV, if you have information on scan rates of the four components please submit them.

Eric Chien's real teaser is at the end, where he says "many infected machines are normally not contactable from external machines. Downadup goes to great lengths to bypass these issues. We’ll investigate these techniques in a future blog article in this W32.Downadup series". I'm sure many of you have documented a number of Conficker/Downadup network anomolies, including pure information sharing between previously infected & infected systems, via SMB NetServerEnum2, containing host names, and I hope Eric's analysis gets into this behavior in-depth. I am looking forward to Eric's next post, and I'm sure many others are too.

Great work Eric!

Keywords:
0 comment(s)

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives