Conficker detection hints - SANS Internet Storm Center

Conficker detection hints
We received some good responses regarding Conficker detection recently. Here are a couple of hints for people that are actively fighting infections on their networks. First, you can look at your Windows domain controllers security event logs. Look for high numbers of Failure Events for logon attempts. This technique can be described in this Sophos KB article: http://www.sophos.com/support/knowledgebase/article/61259.html Second, you can actively scan your network with nmap. (Of course, make sure you have explicit authorization from management including dates/times before running any scanning tools.) I recommend that you upgrade to the latest version (5.00) and give a command similar to the following: nmap -PN -p139,445 -vv --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args=checkconficker=1,safe=1 -T4 [target_networks] >nmap-conficker-scan-results.txt Finally, you may also be able to just monitor a few hosts on your network for unsolicited TCP 445 traffic. I like to do this with tcpdump from a *NIX box that is not employing Samba. This approach doesn't guarantee that you are seeing Conficker, but you will probably find some source hosts that should be investigated further. Here is a link to our page of Conficker-related information: http://www.dshield.org/conficker. It lists additional discovery tools, removal tools, and research. Update 1: Fellow handler Andre Ludwig points out some additional information about the above information. First, the nmap detection may only detect one or two variants of Conficker. The p2p-conficker.nse script states that it detects Conficker.c and higher. For a script that attempts to identify older versions of Conficker, check out the scs2.py script from here: http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker`.` That page also have some Snort rules for detecting conficker.a and conficker.b. Finally, check out the Snort rules at emergingthreats.net for a couple more rules to identify Conficker.c. -Kyle Haugsness	Kyle 112 Posts
Reply Subscribe	Sep 26th 2009 9 years ago
Consider monitoring your DNS queries. Conficker.C has some ccTLD such as AG, BO, LC, HN,PE (see http://extraexploit.blogspot.com/2009/04/conficker-first-20-days-tld-algorithm.html).	Anonymous
Reply Quote	Sep 28th 2009 9 years ago
Please use option -n explicitly if you don't want the risk of too many DNS requests! $ man nmap ... -n/-R: Never do DNS resolution/Always resolve [default: sometimes] ... lol @ "sometimes"	Anonymous
Reply Quote	Sep 28th 2009 9 years ago

We received some good responses regarding Conficker detection recently. Here are a couple of hints for people that are actively fighting infections on their networks.

First, you can look at your Windows domain controllers security event logs. Look for high numbers of Failure Events for logon attempts. This technique can be described in this Sophos KB article: http://www.sophos.com/support/knowledgebase/article/61259.html

Second, you can actively scan your network with nmap. (Of course, make sure you have explicit authorization from management including dates/times before running any scanning tools.) I recommend that you upgrade to the latest version (5.00) and give a command similar to the following:

nmap -PN -p139,445 -vv --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args=checkconficker=1,safe=1 -T4 [target_networks] >nmap-conficker-scan-results.txt

Finally, you may also be able to just monitor a few hosts on your network for unsolicited TCP 445 traffic. I like to do this with tcpdump from a *NIX box that is not employing Samba. This approach doesn't guarantee that you are seeing Conficker, but you will probably find some source hosts that should be investigated further.

Here is a link to our page of Conficker-related information: http://www.dshield.org/conficker. It lists additional discovery tools, removal tools, and research.

Update 1: Fellow handler Andre Ludwig points out some additional information about the above information. First, the nmap detection may only detect one or two variants of Conficker. The p2p-conficker.nse script states that it detects Conficker.c and higher. For a script that attempts to identify older versions of Conficker, check out the scs2.py script from here: http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker. That page also have some Snort rules for detecting conficker.a and conficker.b. Finally, check out the Snort rules at emergingthreats.net for a couple more rules to identify Conficker.c.

-Kyle Haugsness

Kyle

112 Posts

Consider monitoring your DNS queries. Conficker.C has some ccTLD such as AG, BO, LC, HN,PE (see http://extraexploit.blogspot.com/2009/04/conficker-first-20-days-tld-algorithm.html).

Anonymous

Please use option -n explicitly if you don't want the risk of too many DNS requests!

$ man nmap
...
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
...
lol @ "sometimes"

Anonymous