The Conficker Worm
Conficker took the Internet by storm, and surprise, in late 2008. SRI International reported they had not seen such a dominating outbreak since Sasser (2004), and such poor AV detection since the Storm worm (2007). Today, Conficker, also known as Downadup, has five known variants (Conficker.A through Conficker.E).
The original Conficker worm, known as Conficker.A, started making its way around the Internet, by infecting Microsoft Windows hosts, in November 2008. It propagates by infecting other computers across the network. Infection is possible due to a vulnerability in the Windows Server Service as outlined and patched in Microsoft Security Bulletin MS08-067. On infected computers the payload opens a web server to assist in the worm's distribution. It also resets the restore point and downloads files from random URLs.
In December 2008 another variant, Conficker.B, was detected. In addition to the propagation and payload of Conficker.A, it came with improved features. Conficker.B gains the ability to propagate via default network shares (such as ADMIN$) with weak passwords, mapped network drives and removable drives. It uses these paths to spread by creating additional methods of being executed. The additional payload modifies system settings, terminates services and blocks security related websites to avoid detection.
The next variant, Conficker.C, was discovered in February 2009. This variant utilizes the same propagation methods as the A and B variants. In addition to the payloads of the A and B variants, the C variant also downloads files with peer-to-peer communications and it adds a check to validate the content of what it downloads.
The last two variants, Conficker.D (Mar. 2009) and Conficker.E (Apr. 2009), are primarily used to update previous versions of itself. As far as payload, they just add to previous defenses and source URLs for downloading files. Interestingly, Conficker.E added a self termination routine to terminate itself on May 3, 2009. However, it leaves its DLL payload in place so it can still participate in peer-to-peer communication.
Using NMap to find Conficker infections
NMap is a very powerful, and portable, tool that can be used for network enumeration, mapping and auditing. It is very beneficial for many security tasks. NMap is capable of network mapping, OS identification, firewall auditing, vulnerability assessments, and much more. One of the features we are going to take advantage of is the NMap Scripting Engine (NSE).
NSE allows us to write and share scripts that will automate NMap tasks and functionality. Scripts for NSE are currently written in the Lua programming language and are identifiable with an .NSE extension. We are not going to address script writing here, but we are going to take advantage of two NSE scripts written specifically for detecting hosts infected with Conficker. For Conficker detection we are interested in two scripts, smb-check-vulns.nse and p2p-conficker.nse.
In NMap 4.85 BETA5, Conficker detection was added to the smb-check-vulns.nse script, based on the work of Felix Leder and Tillman Werner at the University of Bonn.
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [target networks]
As Conficker matured, so did NMaps ability to detect it. In NMap 4.85 BETA6, a few bugs were fixed with the detection script. In BETA7, the false negative rate was reduced and a few more common errors were fixed. NMap became very popular and effective in the detection of Conficker. So popular that Conficker was programmed to ban access to NMap's website and prevent detection by NSE scripts.
In response, NMap 4.85 BETA8 was released. In this version, a script called p2p-conficker.nse was introduced to detect the Conficker peer-to-peer functionality. The checks performed by the smb-check-vulns.nse script were changed so Conficker's prevention techniques were foiled. And some functionality was enhanced to improve performance. Two new commands, as follows, came out of this update:
For a quicker scan, run:
nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args checkconficker=1,safe=1 -T4 [target networks]
For a more comprehensive scan, run:
nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p- --script-args checkall=1,safe=1 -T4 [target networks]
Since NMap Beta8 and the fall off of Conficker variants, there has not been much need for updates in NMap detection. However, with variants of Conficker still in existence, scanning should still be performed to eradicate the worm. As with any defense-in-depth security architecture, keeping our hosts patched and malware free is an important part of our security strategy.
Porras, P, Hassen, S, & Yegneswaran, V. (2009, February 04). An Analysis of conficker's logic and rendezvous points. Retrieved from
Microsoft (2009, January 08). Win32/conficker. Retrieved from
Insecure.Org (2009, October). Nmap change log. Retrieved from
Insecure.Org (2009, July 16). Nmap 5.00 released. Retrieved from
Insecure.Org (n.d.). Chapter 9. nmap scripting engine. Retrieved from
Insecure.Org (n.d.). Script smb-check-vulns.nse. Retrieved from
Insecure.Org (n.d.). Script p2p-conficker.nse. Retrieved from
Leder, F, & Werner, T. (2009, June 16). Containing conficker. Retrieved from