Get an iPad with Online Courses Now!
Previous Question | Back to Intrusion Detection FAQ Home

Detecting Conficker with NMap

Jim McMillan
November 2009

The Conficker Worm

Conficker took the Internet by storm, and surprise, in late 2008. SRI International reported they had not seen such a dominating outbreak since Sasser (2004), and such poor AV detection since the Storm worm (2007). Today, Conficker, also known as Downadup, has five known variants (Conficker.A through Conficker.E).

The original Conficker worm, known as Conficker.A, started making its way around the Internet, by infecting Microsoft Windows hosts, in November 2008. It propagates by infecting other computers across the network. Infection is possible due to a vulnerability in the Windows Server Service as outlined and patched in Microsoft Security Bulletin MS08-067. On infected computers the payload opens a web server to assist in the worm's distribution. It also resets the restore point and downloads files from random URLs.

In December 2008 another variant, Conficker.B, was detected. In addition to the propagation and payload of Conficker.A, it came with improved features. Conficker.B gains the ability to propagate via default network shares (such as ADMIN$) with weak passwords, mapped network drives and removable drives. It uses these paths to spread by creating additional methods of being executed. The additional payload modifies system settings, terminates services and blocks security related websites to avoid detection.

The next variant, Conficker.C, was discovered in February 2009. This variant utilizes the same propagation methods as the A and B variants. In addition to the payloads of the A and B variants, the C variant also downloads files with peer-to-peer communications and it adds a check to validate the content of what it downloads.

The last two variants, Conficker.D (Mar. 2009) and Conficker.E (Apr. 2009), are primarily used to update previous versions of itself. As far as payload, they just add to previous defenses and source URLs for downloading files. Interestingly, Conficker.E added a self termination routine to terminate itself on May 3, 2009. However, it leaves its DLL payload in place so it can still participate in peer-to-peer communication.

Using NMap to find Conficker infections

NMap is a very powerful, and portable, tool that can be used for network enumeration, mapping and auditing. It is very beneficial for many security tasks. NMap is capable of network mapping, OS identification, firewall auditing, vulnerability assessments, and much more. One of the features we are going to take advantage of is the NMap Scripting Engine (NSE).

NSE allows us to write and share scripts that will automate NMap tasks and functionality. Scripts for NSE are currently written in the Lua programming language and are identifiable with an .NSE extension. We are not going to address script writing here, but we are going to take advantage of two NSE scripts written specifically for detecting hosts infected with Conficker. For Conficker detection we are interested in two scripts, smb-check-vulns.nse and p2p-conficker.nse.

In NMap 4.85 BETA5, Conficker detection was added to the smb-check-vulns.nse script, based on the work of Felix Leder and Tillman Werner at the University of Bonn.

With this new script functionality, we gained the ability to scan our networks for Conficker with a simple NMap command, such as:

nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [target networks]

As Conficker matured, so did NMaps ability to detect it. In NMap 4.85 BETA6, a few bugs were fixed with the detection script. In BETA7, the false negative rate was reduced and a few more common errors were fixed. NMap became very popular and effective in the detection of Conficker. So popular that Conficker was programmed to ban access to NMap's website and prevent detection by NSE scripts.

In response, NMap 4.85 BETA8 was released. In this version, a script called p2p-conficker.nse was introduced to detect the Conficker peer-to-peer functionality. The checks performed by the smb-check-vulns.nse script were changed so Conficker's prevention techniques were foiled. And some functionality was enhanced to improve performance. Two new commands, as follows, came out of this update:

For a quicker scan, run:

nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args checkconficker=1,safe=1 -T4 [target networks]

For a more comprehensive scan, run:

nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p- --script-args checkall=1,safe=1 -T4 [target networks]

Since NMap Beta8 and the fall off of Conficker variants, there has not been much need for updates in NMap detection. However, with variants of Conficker still in existence, scanning should still be performed to eradicate the worm. As with any defense-in-depth security architecture, keeping our hosts patched and malware free is an important part of our security strategy.

Resources

Porras, P, Hassen, S, & Yegneswaran, V. (2009, February 04). An Analysis of conficker's logic and rendezvous points. Retrieved from http://mtc.sri.com/Conficker

Microsoft (2009, January 08). Win32/conficker. Retrieved from http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2FConficker

Insecure.Org (2009, October). Nmap change log. Retrieved from http://nmap.org/changelog.html

Insecure.Org (2009, July 16). Nmap 5.00 released. Retrieved from http://nmap.org/5/

Insecure.Org (n.d.). Chapter 9. nmap scripting engine. Retrieved from http://nmap.org/book/nse.html

Insecure.Org (n.d.). Script smb-check-vulns.nse. Retrieved from http://nmap.org/nsedoc/scripts/smb-check-vulns.html

Insecure.Org (n.d.). Script p2p-conficker.nse. Retrieved from http://nmap.org/nsedoc/scripts/p2p-conficker.html

Leder, F, & Werner, T. (2009, June 16). Containing conficker. Retrieved from http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker

Previous Question | Back to Intrusion Detection FAQ Home