Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
conficker-c(3)			SiLK Tool Suite			conficker-c(3)

NAME
       conficker-c - SiLK plug-in to detect traffic matching the Conficker C
       worm

SYNOPSIS
	 rwfilter --plugin=conficker-c.so [--conficker-seed=SEED]
	       [--s-conficker] [--d-conficker] [--a-conficker] ...

	 rwcut --plugin=conficker-c.so [--conficker-seed=SEED]
	       [--fields=...,sconficker,dconficker,...]	...

	 rwgroup --plugin=conficker-c.so [--conficker-seed=SEED]
	       [--fields=...,sconficker,dconficker,...]	...

	 rwsort	--plugin=conficker-c.so	[--conficker-seed=SEED]
	       [--fields=...,sconficker,dconficker,...]	...

	 rwstats --plugin=conficker-c.so [--conficker-seed=SEED]
	       [--fields=...,sconficker,dconficker,...]	...

	 rwuniq	--plugin=conficker-c.so	[--conficker-seed=SEED]
	       [--fields=...,sconficker,dconficker,...]	...

DESCRIPTION
       The conficker-c plug-in was written in March 2009 to detect traffic
       that matches the	signature of the .C variant of the Conficker worm.

       The .C variant of the Conficker worm
       (<https://www.us-cert.gov/ncas/alerts/TA09-088A>) contains a peer-to-
       peer scanning thread which generates a large amount of UDP high-port to
       high-port packets.  SRI International provides a	detailed analysis
       report on the worm's behavior which describes features of the peer-to-
       peer network traffic.
       (<http://www.csl.sri.com/users/vinod/papers/Conficker/addendumC/index.html>)
       This report hints at "...a unique mapping from IP address to the	two
       TCP and UDP listen ports	in each	host."

       This type of behavior is	also ideally suited for	flow analysis, and the
       conficker-c plug-in emulates the	same functionality.  When loaded into
       either rwfilter(1) or rwcut(1) using the	--plugin switch, the plug-in
       adds fields for detecting and filtering Conficker.C traffic with	a
       limited number of false positives.

       The conficker-c plug-in identifies the targets of Conficker.C scanning.
       When a Conficker.C infected machine starts scanning for other peers, it
       targets a somewhat random port on the destination host according	to a
       function	f() where

	dPort =	f (dIP,	seed)
	sPort =	f (sIP,	seed)

       and the seed is computed	from the function g():

	seed = g (start_time)

       The plug-in implements that function and	can check whether the computed
       source or destination port matches the observed value of	the port.  If
       the source or destination matches, that indicates that the destination
       or source, respectively,	may be infected.

       To compute the "seed" argument to the function, the plug-in computes
       the number of weeks between 1970-Jan-05 and the flow record's start
       time.  When the flow's start time is within a few minutes of the	week
       boundary, the plug-in computes ports using both possible	values for the
       seed.  The plug-in provides the --conficker-seed	command	line switch to
       allow selection of a different seed.

       The plug-in ignores any non-UDP/non-TCP traffic.

OPTIONS
       Option names may	be abbreviated if the abbreviation is unique or	is an
       exact match for an option.  A parameter to an option may	be specified
       as --arg=param or --arg param, though the first form is required	for
       options that take optional parameters.

       The conficker-c plug-in provides	the following options to the indicated
       applications.

   rwfilter Switches
       The conficker-c plug-in adds the	following switches to rwfilter(1).
       You may check for Conficker.C traffic on	a particular side of the flow,
       or for both sides:

       --s-conficker
	   Pass	the flow record	if the source IP and port match	those targeted
	   by Conficker.C (indicating that the destination IP may be
	   infected).

       --d-conficker
	   Pass	the flow record	if the destination IP and port match those
	   targeted by Conficker.C (indicating that the	source IP may be
	   infected).

       --a-conficker
	   Pass	the flow record	if either the source IP	and port or the
	   destination IP and port match those targeted	by Conficker.C.

       --conficker-seed=SEED
	   Use the value SEED to seed Conficker.C checker.  Typically the
	   flow's start	time is	used as	the basis for the seed.

   rwcut, rwgroup, rwsort, rwstats, and	rwuniq Switches
       The conficker-c plug-in augments	the switches of	rwcut(1), rwgroup(1),
       rwsort(1), rwstats(1), and rwuniq(1) as follows:

       --fields=FIELDS
	   FIELDS refers to a list of fields to	use for	the operation.	The
	   conficker-c plug-in adds the	following fields:

	   sconficker
	       Show whether the	source IP and source port combination match
	       the values targeted by Conficker.C, which indicate that the
	       destination IP may be infected.	This field contains a 1	when
	       values match and	a 0 when they do not.

	   dconficker
	       Show whether the	destination IP and destination port
	       combination match the values targeted by	Conficker.C, which
	       indicate	that the source	IP may be infected.  This field
	       contains	a 1 when values	match and a 0 when they	do not.

       --conficker-seed=SEED
	   Use the value SEED to seed Conficker.C checker.  Typically the
	   flow's start	time is	used as	the basis for the seed.

EXAMPLES
       In the following	examples, the dollar sign ("$")	represents the shell
       prompt.	The text after the dollar sign represents the command line.
       Lines have been wrapped for improved readability, and the back slash
       ("\") is	used to	indicate a wrapped line.

       This example uses contrived data	to test	that the plug-in works.
       Values that are known to	match the worm are piped into rwtuc(1) to
       create a	SiLK Flow record.  That	record is piped	into rwfilter, which
       matches the record.  That result	is piped into rwcut to display the
       result:

	$ echo '17|10.10.10.10|23332|192.168.192.168|16514|'	    \
	  | rwtuc --fields=protocol,sip,sport,dip,dport		    \
	  | rwfilter --plugin=conficker.so --conficker-seed=8888    \
	       --s-conficker --protocol=17 --print-volume	    \
	       --pass=stdout stdin				    \
	  | rwcut --plugin=conficker.so	--conficker-seed=8888	    \
	       --fields=sip,sport,sconficker,dip,dport,dconficker   \
	       --ipv6-policy=ignore
	     | Recs  | Packets | Bytes | Files |
	Total|	    1|	      1|      1|      1|
	Pass |	    1|	      1|      1|       |
	Fail |	    0|	      0|      0|       |
		sIP|sPort|scon|		   dIP|dPort|dcon|
	10.10.10.10|23332|   1|192.168.192.168|16514|	1|

       To find infected	hosts on your network, you typically want to look at
       outgoing	traffic	and find instances where source	hosts are targeting
       conficker destination IP	and port pairs,	so you would use the
       --d-conficker switch on rwfilter.

       To further refine the query and eliminate most false positives, it is
       useful to eliminate common service ports	(the packets from a scanner
       have sport=ephemeral, dport=conficker-chosen):

	$ rwfilter --plugin=conficker-c.so --d-conficker		 \
	       --sport=1024- --dport=1024-				 \
	       --start-date=2009/05/01 --end-date=2009/05/31 --type=out	 \
	       --pass=stdout						 \
	  | rwuniq --fields=sip	--flows=10 --sort-output

       There may be false positives from VPN traffic.  Depending on your
       network,	you might want to filter traffic on UDP	500 or 10000.

ENVIRONMENT
       SILK_PATH
	   This	environment variable gives the root of the install tree.  When
	   searching for plug-ins, a SiLK application may use this environment
	   variable.  See the "FILES" section for details.

       SILK_PLUGIN_DEBUG
	   When	set to 1, the SiLK applications	print status messages to the
	   standard error as they attempt to find and open the conficker-c.so
	   plug-in.  A typical invocation using	this variable is:

	    env	SILK_PLUGIN_DEBUG=1 rwcut --plugin=conficker-c.so --version

FILES
       ${SILK_PATH}/lib64/silk/conficker-c.so
       ${SILK_PATH}/lib64/conficker-c.so
       ${SILK_PATH}/lib/silk/conficker-c.so
       ${SILK_PATH}/lib/conficker-c.so
       /usr/local/lib64/silk/conficker-c.so
       /usr/local/lib64/conficker-c.so
       /usr/local/lib/silk/conficker-c.so
       /usr/local/lib/conficker-c.so
	   Possible locations for the plug-in.

SEE ALSO
       rwfilter(1), rwcut(1), rwgroup(1), rwsort(1), rwstats(1), rwuniq(1),
       rwtuc(1), silk(7)

SiLK 3.19.1			  2021-02-28			conficker-c(3)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | ENVIRONMENT | FILES | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=conficker-c&sektion=3&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help