Conflicker detector?
Jesper Skou Jensen
jesper.skou.jensen at uni-c.dk
Tue Mar 31 02:44:07 EDT 2009
Very interesting news Carter. I for one sure would like to see that perl
script. For now I'll try the approach below and see if any of our
machines appear to be infected.
--
Jesper S. Jensen
UNI-C - Århus, Danmark
Carter Bullard wrote:
> Gentle people,
> There is a lot of conficker news about, and the link below is interesting
> as it has a few more behavioral descriptions. Much of the tags
> are searchable in argus data, so this week I may put together a
> perl script, along the same lines as radark.pl, to report on potential
> conficker activity, using the info in this link:
>
> http://www.confickerworkinggroup.org/wiki/pmwiki.php?n=SP.ServiceProviders
>
> as a guide (for starters). One of the interesting things, is the list
> of "malicious
> conficker" sites. I'll also add a test for DNS requests for these host
> names,
> from local machines, as that may also add some interesting fuel to the fire.
>
> Because there is a DNS component to the attack profile, I think we can use
> the radump() features to give us a heads up on who is doing conficker
> related
> DNS lookups. That should be very useful?
>
> If anyone has any thoughts, please start hollering ;o)
>
>
> Carter
>
> On Mar 30, 2009, at 3:16 PM, Carter Bullard wrote:
>
>> Gentle people,
>> Anyone interested in doing a Conflicker detection program?
>>
>> I don't have any argus records of a successful Conflicker session.
>> I only have Conflicker scan attempts. No one I know seems to be
>> having Conflicker problems, so I haven't seen any good data yet.
>>
>> If you are capturing user data in your argus data records, you
>> may find this interesting.
>>
>> So, just looking for external to internal TCP -> port 445 will give you
>> some Conflicker scan activity if you have any, and the list of src IP
>> addresses
>> involved in those types of scans can be used to seed searches in your
>> argus
>> archives to see if any of those addresses have done anything
>> interesting with your network.
>>
>> From what I know, Conflicker, once it has done its thing, uses HTTP
>> over a peer-to-peer "callback" channel to check for things, and we can
>> test for that really easily.
>>
>> With the list of IP addresses that used port 445, we can look for any flow
>> that has HTTP protocol key words on a session not using a traditional
>> HTTP port.
>>
>> So, by hand you can do something like this, with the data from an
>> argus looking at your border interfaces:
>> ../bin/racluster -L0 -m saddr -s saddr -R
>> /Volumes/Data/argus/prim*/207*/2009/03 - tcp and port 445
>>
>> This will print out the IP addresses of port 445 scanners. You can
>> refine that with a filter to say give
>> you only addresses that are outside of your network. For the month of
>> March,
>> here is the output from QoSient world headquarters:
>> 41.209.130.202
>> 41.209.130.205
>> 58.222.22.41
>> 69.57.239.251
>> 74.11.29.171
>> 85.109.156.27
>> 85.189.237.214
>> 86.8.99.27
>> 94.241.252.150
>> 123.169.76.30
>> 189.26.118.117
>> 207.40.251.189
>> 207.160.119.252
>> 207.164.177.50
>> 207.182.133.26
>> 207.188.73.161
>> 207.188.248.132
>> 207.199.245.133
>> 207.212.177.34
>> 207.212.177.36
>> 207.213.99.57
>> 207.218.175.231
>> 207.224.112.169
>> 207.225.1.47
>> 207.225.186.157
>> 207.237.36.130
>> 207.237.37.194
>> 207.237.37.198
>> 207.237.152.49
>> 207.237.152.98
>> 207.237.152.243
>> 207.248.38.10
>> 210.193.47.160
>> 216.12.74.84
>>
>> So "../bin/racluster ...... port 445 > /tmp/ips.using.port.445"
>>
>> OK, so put that in a file, and use it as config for rafilteraddr() to
>> grab all the argus
>> records from/to those addresses, and check to see if you see any HTTP
>> like
>> protocol keywords on a non "port 80" tcp connection.
>>
>> Remember, all ra* programs in argus-clients-3.0.x can 'grep' for patterns
>> in the user data buffers. Just use the "-e 'regex'" option.
>>
>> rafilteraddr -f /tmp/ips.using.port.445 -R
>> /path/to/your/archive/2009/03 -e "GET | PUT" - port not \(80 or 8008
>> or 8080\)
>>
>> The "GET | PUT" is the regular expression "'GET' or 'PUT'" so be sure
>> and use the (bar)
>> character. OK, if you get any hits that look suspicious (like the
>> contents are all encrypted, or
>> it just doesn't look right), then what would be cool is to capture all
>> the argus records to and
>> from the local IP address over the time period where the Conflicker
>> activity was seen
>> to see if you can figure out what is going on.
>>
>> Or, you can just go through your entire archive looking for this:
>>
>> ra -R /path/to/your/archive/2009/03 -e "GET | PUT" - port not \(80
>> or 8008 or 8080\)
>>
>> But you'll get some false positives.
>>
>> When I do that, I found a single HTTP session using port 10080, and
>> that was it.
>>
>> That TCP connection was interspersed with other port 80 HTTP
>> connections to the
>> same server, and you could see that it was preceeded by a loading of a
>> "jquery_pack.jsr" file, so it was some java script grabbing off of a
>> weird port. The
>> commands were all "GET"'s and they were just images (a few gifs, pngs,
>> jpgs),
>> so not interesting.
>>
>> I validated that they were pretty boring by doing a radump() of the
>> domain requests
>> over the same period, looking for the IP addresses in the output, so I
>> could see
>> that I had actually done something that made sense. Let's say that
>> the IP address
>> was x.y.z.w, then I would type:
>>
>> radump -R /path/to/your/archive/2009/03/12/ -s +suser:128 +duser:129
>> - port domain | fgrep x.y.z.w
>>
>> And got the DNS session that actually returned the IP address of
>> interest. So everything
>> was pretty boring on that 10080 port HTTP session.
>>
>> Anyone have any interest in thinking about this kind of stuff?
>>
>> Carter
>>
>
> Carter Bullard
> CEO/President
> QoSient, LLC
> 150 E 57th Street Suite 12D
> New York, New York 10022
>
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
>
>
More information about the argus
mailing list