Wednesday, September 2, 2009

Conficker Network Traffic [ Wireshark Captures ]

These are some of the network captures that I did using wireshark, when Conficker infected my machine. I had a hard time removing it. But in the beginning I didnt even know if something is wrong. I did some network forensic kind of thing just to ensure that some weird and unexplained network traffic was going on. :( . Now I am presenting them as facts and questions that came to my mind. Sometimes when you dont know if your computer is compromised by a worm or trojan, these kind of symptoms are the ones you can look out for. Wireshark is an excellent open source tool for monitoring the network traffic coming in and out of your system.


Fact #1: Use of p2p: the PSH flag set in TCP packets.
Q: p2p?? I aint using any p2p software, what the hell? why these PSH flags are set?

In general the TCP packets used by p2p (peer to peer) protocol have PSH (PUSH) flag set. Whenever you see PSH flag set in TCP packets. You can be almost sure of p2p in action. p2p is not a common protocol, it comes into picture only if you are using p2p softwares like Kaza lite etc. Otherwise it sure could be a cause of worry. The PSH flag set implies that the TCP packets are intended to be "push" across the buffers ahead of any other data. For this reason p2p traffic is notorious for eating up bandwidth and is generally banned in corporate networks. Also p2p isnt a very reliable means of obtaining things. You never know the benign executable (that came in disguise of your favorite game) could be a trojan or a bot. One click and your computer becomes the zombia of a botnet.



Fact #2: Whenever I connect to the network, my machine starts asking for MAC addresses of all possible hosts on my LAN.
Q: Why would anyone do that? There is something, and this is a common sign of a worm which is trying to scan the entire LAN for vulnerable hosts.

This is a sureshot sign of trouble. If your computer is searching the whole subnet (say 10.0.0,1 to 10.0.0.254), its trying to figure out who else is present on your LAN. If any host replies back, the worm will try to infect it. The netbios (port 135, 139, 445) services of a windows machine are available to the LAN only. Any worm outside the LAN cannot attack it. But if any machine in your LAN is infected, chances are that all vulnerable windows machines will get infected. Unless your antivirus and OS is updated to face the most recent vulnerabilities.



Fact #3: My machine trying to access unknown websites?? Oh, atleast they are unknown to me.
Q: why?? may be trying to get updates for the 'thing'?

Conficker uses an algorithm for calculating the rate of infection. If the rate is too fast, it would eat up the network bandwidth which may attract unwanted attention of network admins. If the rate is too slow, well conficker surely doesnt want this. Conficker tries to communicate some popular websites to find out the round-trip time and based on the results it tries to create a rate of infection that matches with internet speed of the victim host computer. I got this reasoning from the internet, possibly an antivirus site.

In other cases the worm might be trying to get updates for itself from hacking or compromised sites. The worm might be downloading the next instruction set, or even more powerful malware, adware etc.


Fact #4: Trying to get my IP address. :(
Q: This could be a trojan or a bot.

By finding and sending my IP address, a bad guy/cracker can try to gain remote access to my computer. Well I dont really think so, I aint that special. I am just another bot in the bot herder's army.

Fact #5:SMB negotiation, trying to gain anonymous access through port 445.

Q: Now I am sure this thing has something to do with a microsoft smb vulnerability, or may be its just trying something with anonymous shares.

Well, microsoft has its share of security problems. Whenever a remotely exploitable vulnerability appears, you can always expect a new worm coming in. No surprises here. This makes business happen, antiviruses get their acknowledgment. Advisories are out. And the bad guys make money too. Windows security gets another blow. And a lot of people lose money as well.


Fact #6: This was the last part, the hidden dll was in the form of a bmp image file hidden deep inside the caves of Internet Explorer.

Q: Why couldnt I find it myself?? huh!

Catching a popular worm without an antivirus is very hard these days. Although in my past I cleaned some of the relatively 'friendly' worms without using an antivirus at all. yeah they would let me sneak in ultimately give up their positions. Its fun and its like solving a puzzle.

4 comments:

  1. how can i detect any p2p botnet in my network using wireshark, I capture about 7GB of data but I dont know how to find it. can you teach me how to do it nqfaq [a] yahoo . com , thank you..

    ReplyDelete
  2. Hi,

    I'm trying to investigate a mysterious issue and I'm not sure that it's the same as the problem you describe here so I'd be glad if you can provide me with some useful notes.

    The issue that we found is this: when we turned Active Directory auditing on we could see that there are many workstations that try to authenticate with strange usernames (such as @@CYAAAAAjBgcA0GAhBAZA0GApBgbAAEAzBwdAEDA, owner, support_388945a0 and others) and even many (over 100 attempts per second) authentication attempts with valid user names but with wrong passwords. That of course triggers our account-lockout policies very often.

    I tried to look at the network traffic and I could find many PSH packets like you did but no attempts to access www.whatismyip.com or any of those websites you mentioned. Additionally, since that we have an old Linux Samba server that is sharing a folder we also see many SMB anonymous authentication attempts from that machine so it becomes more difficult to find the relevant requests but I'm still trying...

    Do you have any other ideas of things that I should look at?


    Tnx,
    Yuval.

    BTW: GRRRRREAT post... thanks...

    ReplyDelete
  3. I have a similar case to you. Damned conficker. Was painfull to delete from my network, your info was usefull. Thank you

    ReplyDelete
  4. I realized today that this post has 3 comments, and I never saw them. I am sorry. Shame on me!

    ReplyDelete