Conficker infections can be detected at a network level by it’s attempt to infect systems over port 445/tcp or by it’s attempts to contact command and control domains.

Detecting traffic on 445/tcp

We recommend that port 445/tcp, along with the other Windows LAN Service Ports are blocked both inbound and outbound at your network border. These ports will be used between your Windows Clients and Servers but rarely, if ever, used over the Internet. Most traffic on JANET using this port arises from malware or misconfiguration. Once you have blocked the traffic with an Access Control List, you can log and monitor hosts sending traffic that hits this ACL. You may also wish to do the same internally on your network, partitioning traffic from a public wifi network from the rest of your infrastructure for example.

You can also detect undesirable traffic on this port by placing a network sniffer at an appropriate place on your network, perhaps on a switch port that mirrors traffic to your firewall. It is important that you set your software to filter the interesting traffic at the time of capture, or you could end up with large files that need further processing.

Monitoring netflow records for traffic on 445/tcp is also a possibility, depending on the routers from which you are exporting your netflow. You may also have an Intrusion Detection System that can detect a system sending out probes on 445/tcp.

Detecting command and control traffic

Conficker attempts to contact a website at a particular domain to download further instructions. The domain changes thousands of times a day, and it is largely impractical to try and keep up with them. Several of the domains see entirely legitimate traffic, causing false positives. Thanks to the efforts of the Conficker Working Group, the domains are being preregistered and and traffic redirected to honeypot systems. This makes the traffic much easier to spot. All web traffic to them is related to infections of Conficker or similar malware.

We have a list of known sinkhole IP addresses and monitor for traffic on port 80/tcp to them using our netflow system. It’s also possible to monitor access to these hosts using router ACLs and logging, network sniffing or custom IDS rules.

It is important that you do not block access to the sinkhole IP addresses without carefully considering the consequences. If you block access to these IP addresses you must be monitoring and reacting appropriately as the block does nothing to stop the operations of Conficker. Should the botnet be activated, the command and control traffic will be directed elsewhere, bypassing any blocks. With addresses unblocked, we can at least continue to monitor for infections on your behalf.

Please contact us for further details and instruction on how to monitor for access to these addresses.