• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   A Look Inside Conficker P2P Traffic

A Look Inside Conficker P2P Traffic

  • Posted on:April 3, 2009 at 8:23 pm
  • Posted in:Malware
  • Author:
    Ben April (Threat Researcher)
14

Visualizations can often show researchers details that would otherwise take hours of staring at raw data to find. WORM_DOWNAD.KK has plenty to show us if we look in the right places. This post focuses on the various P2P channels.

The first set of graphs map each IP address (source and destination) found in the source pcap file onto a grid. Each IP address is first split into its 4 octets (A.B.C.D). The octets are plotted as points on each of the four vertical lines. Working from from left to right these lines align to an octet (A.B.C.D). Zero at the top, 255 at the bottom. The points are then connected with a line. The color of the line indicates the value range of the starting octet. Green for 0-64, Blue for 65-128, Pink for 129-192 and Yellow for 193-255. Each Graph shows a 1-hour snapshot of data.

This image shows a 1-hour sample taken from an uninfected LAN carrying normal office traffic. You can see a number of addresses and even follow most of the lines. Multiple appearances of the same address are plotted as one line:

Uninfected
Figure 1. 1 hour of normal LAN traffic

Things get more interesting when we plot WORM_DOWNAD.KK traffic. This graph is 1-hour traffic from a single system infected with WORM_DOWNAD.KK. Note the difference between the first and second graph. We can clearly see that the IP selection algorithm generates a complex distribution that provides thorough coverage of each IP octet:

Infected with conficker
Figure 2. 1 hour of WORM_DOWNAD.KK P2P traffic)

It is interesting see the IP space that WORM_DOWNAD.KK is programmed to avoid. We know WORM_DOWNAD.KK contains a black-list of /8 CIDR ranges that it will not transmit P2P traffic to. (/8 indicating that only the first octet “A” is significant). The /8s not scanned by the P2P protocol are 0, 1, 2, 5, 10, 14, 23, 27, 31, 36, 37, 39, 42, 46, 49, 50,100-109,127, 175-185, 191, 197, and 223 – 255. You can clearly see 4 gaps on the “A” line. These gaps match very well with the known list, 0-5 at the top, 100-109 (Blue) 175-185 (Pink) and 223-255 at the bottom. If you zoom in you will also see that the Green section (0- 64) is more spotty than the other colors, which tends to agree with what we know about the blocklist.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.