Scanning for Conficker’s peer to peer

Hi everybody,

With the help of Symantec's Security Intelligence Analysis Team, I've put together a script that'll detect Conficker (.C and up) based on its peer to peer ports. The script is called p2p-conficker.nse, and automatically runs against any Windows system when scripts are being used:

nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns \
        --script-args=safe=1 -T4 -p445 <host>
or
sudo nmap -sU -sS --script p2p-conficker,smb-os-discovery,smb-check-vulns \
        --script-args=safe=1 -T4 -p U:137,T:139 <host>

See below for more information!

Or, if you just want to scan your network fast, give this a shot:

nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns \
        --script-args=checkconficker=1,safe=1 -T4 <host>

How do I get it?

Update to the newest Nmap SVN version, download the .nse file (info) and put it in your 'scripts' folder, or download and install Nmap 4.85beta8 or higher.

How do I know if I'm infected?

Four tests are performed. If any of those tests come back INFECTED, you're probably infected. For example:

Host script results:
|  p2p-conficker: Checking for Conficker.C or higher...
|  | Check 1 (port 21249/tcp): INFECTED (Received valid data)
|  | Check 2 (port 25561/tcp): INFECTED (Received valid data)
|  | Check 3 (port 26106/udp): INFECTED (Received valid data)
|  | Check 4 (port 46447/udp): INFECTED (Received valid data)
|_ |_ 4/4 checks: Host is likely INFECTED

That would indicate a host that's definitely infected. But even if only one of the ports came back, you are still infected:

Host script results:
|  p2p-conficker: Checking for Conficker.C or higher...
|  | Check 1 (port 21249/tcp): INFECTED (Received valid data)
|  | Check 2 (port 25561/tcp): CLEAN (Couldn't connect)
|  | Check 3 (port 26106/udp): CLEAN (Failed to receive data)
|  | Check 4 (port 46447/udp): CLEAN (Failed to receive data)
|_ |_ 1/4 checks: Host is likely INFECTED

And finally, if one or more ports come back with a possible infection (invalid data or an incorrect checksum), you should be cautious -- it could indicate an infection and a flaky network or a different generation of the worm (what are the chances of two random ports being open?) This might look like this:

Host script results:
|  p2p-conficker: Checking for Conficker.C or higher...
|  | Check 1 (port 21249/tcp): CLEAN (Data received, but checksum was invalid (possibly INFECTED))
|  | Check 2 (port 25561/tcp): CLEAN (Data received, but checksum was invalid (possibly INFECTED))
|  | Check 3 (port 26106/udp): CLEAN (Failed to receive data)
|  | Check 4 (port 46447/udp): CLEAN (Failed to receive data)
|_ |_ 0/4 checks: Host is CLEAN or ports are blocked

If it says I'm clean, how sure is it?

Unfortunately, this check, like my other Conficker check, isn't 100% reliable. There are several factors here:

  • This peer to peer first appeared in Conficker.C, so Conficker.A and Conficker.B won't be detected
  • It relies on connecting to Conficker's ports -- firewalls or port filters can block this
  • If the host is multihomed or NATed, the wrong ports will be generated. If you know its real IP, see the sample commands below
  • If the Windows ports are blocked (445/139), the check won't run by default. This behaviour can be overridden, see the sample commands below

How does this work?

When Conficker.C or higher infects a system, it opens four ports for communication (two TCP and two UDP). It uses these to connect to other infected hosts to send/receive updates and other information. These ports are based on two factors: a) the IP address, and b) the current time (the weeks since Jan 1 1970).

Thanks to research by Symantec (and others), the port-generation algorithm and the protocol have been discovered, and that's what I implemented in my script. Each packet has an encryption key, some data and a checksum (encrypted), and some noise. By sending a packet to an infected host on any of its ports, the host will respond. That response indicates an infection.

For more details on how it works, see the code itself.

Sample commands

Perform a simple check:

nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns \
        --script-args=safe=1 -T4 -p445 <host>
or
sudo nmap -sU -sS --script p2p-conficker,smb-os-discovery,smb-check-vulns \
        --script-args=safe=1 -T4 -p U:137,T:139 <host>

This is probably the best way to run a fast scan. It does a ping sweep then scans every host:

nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns \
        --script-args=checkconficker=1,safe=1 -T4 <host>

Check all 65535 ports to see if any have been opened by Conficker (VERY slow, but thorough):

nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p- \
        --script-args=checkall=1,safe=1 -T4 <host>

Check the standard Conficker ports for a chosen IP address (in other words, override the IP address that's used to generate the ports):

nmap --script p2p-conficker,smb-os-discovery -p445 \
        --script-args=realip=\"192.168.1.65\" -T4 <host>

But wait, there's more!

smb-check-vulns.nse can now detect Conficker.D (and .E) using the same techniques as scs2.py.

Conclusion

Hopefully the script helps you out! And, as usual, don't hesitate to contact me if you have any issues! You can find me in a bunch of places:

  • Post a comment here (I try hard to answer every comment)
  • Post a message to Nmap-dev
  • Email me (ron --- skullsecurity.org)
  • #nmap on FreeNode (I don't look at that so often, though)

13 thoughts on “Scanning for Conficker’s peer to peer

  1. Reply

    Ram

    Ron,

    in our our environment we seem to hit the messages below. not sure whether this is alright.

    PORT STATE SERVICE

    139/tcp closed netbios-ssn

    445/tcp closed microsoft-ds

    Host script results:

    | p2p-conficker: Checking for Conficker.C or higher...

    | | Check 1 (port 37344/tcp): CLEAN (Timeout)

    | | Check 2 (port 42396/tcp): CLEAN (Timeout)

    | | Check 3 (port 46538/udp): CLEAN (Failed to receive data)

    | | Check 4 (port 35097/udp): CLEAN (Timeout)

    |_ |_ 0/4 checks: Host is CLEAN or ports are blocked

    PORT STATE SERVICE

    139/tcp open netbios-ssn

    445/tcp open microsoft-ds

    Host script results:

    | | p2p-conficker: Checking for Conficker.C or higher...

    | | Check 1 (port 14079/tcp): CLEAN (Timeout)

    | | Check 2 (port 49942/tcp): CLEAN (Timeout)

    | | Check 3 (port 12807/udp): CLEAN (Timeout)

    | | Check 4 (port 7577/udp): CLEAN (Timeout)

    |_ |_ 0/4 checks: Host is CLEAN or ports are blocked

    Thanks for the script.

    Ram

    1. Reply

      Ron Post author

      @Ram

      The first one doesn't appear to be a Windows system, and they both appear clean. Of course, that doesn't mean they're 100% guaranteed to be clean, but it's pretty likely.

      Ron

  2. Reply

    Thales

    Thanks for the script.

    How do I when I scan an entire network, show only the ips network assets in the result of nmap?

    Thank you.

    1. Reply

      Ron Post author

      @Thales

      I'm not really clear on what you're asking, can you rephrase that in a different way?

      Thanks
      Ron

  3. Reply

    hakipedia

    I was wondering about it's detection for the D and E strands, then I saw the "But wait, there's more!" content. Thanks for the information. It could come in handy. :)

  4. Reply

    Steve

    I think what Thales wants to do is the same thing I'd like to do. Scan my entire LAN for conflicker infection. i.e. my LAN ranges from 192.168.0.1 to 192.168.0.255.

    Can this script automatically cycle through all hosts in the LAN and see if any of them are infected?

  5. Reply

    Computer Support

    good job... Thanks for the script.

  6. Reply

    satria.permana

    hey all.. can you help me about the script above?
    I've installed NMAP 5.00 on my linux. And found p2p-conficker script at /usr/share/nmap/scripts/p2p-conficker.nse
    But why I cannot use that script? In my case, when I use this script there is no execution for this script --> there is nothing displayed on my screen (eg, like yours
    Host script results:
    | p2p-conficker: Checking for Conficker.C or higher...
    | | Check 1 (port 21249/tcp): INFECTED (Received valid data)
    | | Check 2 (port 25561/tcp): CLEAN (Couldn't connect)
    | | Check 3 (port 26106/udp): CLEAN (Failed to receive data)
    | | Check 4 (port 46447/udp): CLEAN (Failed to receive data)
    |_ |_ 1/4 checks: Host is likely INFECTED
    )

    1. Reply

      Ron Post author

      Hey,

      It's hard to say exactly what your problem is. Could you post the command you used to run Nmap, along with the full output when using -d (debug)?

      It might be easiest to email it to me -- ron at skullsecurity.net

      Thanks!

  7. Reply

    John

    Hi Ron, it seems that I do not know how to run that scan properly although that I just copied the command and changed the string of course. But the output I get whether I use older scripts or the new one, which is testing Conficker and 3 others security issues in none of them I'm getting the output I should. I used "nmap -p 445 -T4 --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args safe=1 " with valid target IP and the output I got was about 9 lines telling me just that host is up, the port is filtered and that that target was scannedin 1.88 seconds. This happens with ZenMap and also Nmap running through command line by mi own, in both cases as an admin on Windows Vista. I just want to get that Host script results:

    | p2p-conficker: Checking for Conficker.C or higher... :D :D

    Any ideas?

  8. Reply

    Sam

    I've had real success running ComboFix to remove Conficker. It is a pain in the rear and your scripts are useful.

  9. Reply

    Miami Computer Support

    Conficker has been a real nasty bugger for some of our clients. One in particular had been passing around infected thumbdrives. We had to educate them on the risks and ended up disabling Autoplay.

  10. Reply

    London IT support

    Thanks for the script details and the explanations. Dealing with a similar network issue is something I am learning at the moment so came in handy as a bit of inspiration.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>