Conficker

Conficker analysis finds P2P coding limited, less sophisticated

New analysis of Conficker finds peer-to-peer coding less sophisticated and not likely coded by the same developers who coded the other major components of Conficker.

Researchers at SRI International have conducted additional research on Conficker C and determined that a peer-to-peer (P2P) module was not likely coded by the original programmers of the worm.

From the latest SRI research:

The P2P module provides a limited peer command set, keeping complexity to a minimum - perhaps due to scheduling pressures and quality control concerns in deploying new functionality across millions of geographically dispersed victim machines.

The report is very technical. Researchers reverse engineered the P2P protocol and provided the results of their findings. My takeaway is that the P2P protocol, though unsophisticated, has been an important part of how Conficker has been able to continue to infect and how those behind the worm have been able to bypass security filters to send out orders. SRI said the P2P coding conducts scan-based peer discovery across the Internet, looking for previous versions of Conficker to upgrade to the latest and greatest version.

The fact that security experts haven’t been able to stop the spread of orders via Conficker’s P2P algorithm enables Conficker to remain a threat, the SRI researchers said.

Unfortunately, unlike the binary delivery distributions over the DGA rendezvous points that were achieved by the Conficker Working Group [2], whitehats currently employ no equivalent capability to hinder binary distributions through Conficker’s peer network.

Proof the Conficker worm not a major threat

Kaspersky Lab researchers found a small number of unique IP addresses on the peer-to-peer network, suggesting the worm isn’t as large as previously thought.

It seems that Conficker/Downadup isn’t all that it was cracked up to be. Dennis Fisher of Kaspersky Lab’s Threatpost.com confirms what some have been suspecting all along: The Conficker botnet is much smaller than security researchers originally believed. An analysis by Kaspersky Lab researchers found “200,652 unique IP addresses on the P2P network, which comprises machines that are infected with the latest variant of Conficker,” according to Fisher’s post.

In a blog post, Kaspersky Lab virus analyst Georg Wicherski wrote that “only a fraction of the nodes infected with earlier variants have been updated with new variants.” Wicherski used a custom application to monitor the network. He noted in his post that Brazil and Chile stand out in terms of having the most numbers of P2P nodes.

Back in January I wrote about my access to TippingPoint’s ThreatLinQ service. ThreatLinQ can be accessed by TippingPoint IPS customers. The ThreatLinQ data I saw suggested to me the threat wasn’t a major one.  ThreatLinQ is essentially a portal that shows global threat data caught in TippingPoint’s DVLabs’ IPS filters. It can rank threats on a global scale and by country. It also shows how other TippingPoint customers are using their IPS and what is being blocked by default.

The time period I had a view of the global Conficker data was Jan. 26/27. This was a time period when most security researchers said Conficker infections had peaked and some, including researchers at F-Secure, noted the botnet could be as large as 10 million machines.

At the time, the TippingPoint IPS honeypots found ranked attempts to attack the Microsoft RPC vulnerability at No. 5 of all threat’s globally. It wasn’t even close. Attempted attacks were in the hundreds of thousands versus the MS-SQL: Slammer-Sapphire Worm which was picked up globally more than 32 million times in TippingPoint’s honeypots.

I noted that Brazil, Chile and some countries in Asia and Eastern Europe seemed to have the most Conficker infections. They were in countries where software pirating is rampant and machines are not likely to get the MS08-067 RPC patch.

Conficker may have been a worm that fascinated researchers because it spread so quickly, but once the spotlight was shined on it, it sputtered out. Why? The Conficker Working Group appeared to have a good handle on this one and perhaps their efforts to disrupt the worm from receiving its orders worked. Researchers told me the P2P method of receiving its orders is just too slow for Conficker to be a major threat.