As part of our ongoing research surrounding everyone's favorite new worm, Conficker, several members of the VRT recently joined the Conficker Working Group, a group of security professionals from a wide range of networking and security-related companies. You may have heard of them as the guys who came up with the Conficker Eye Chart that hit Slashdot yesterday.
Yesterday afternoon, CWG member Phil Porras of SRI International informed members of the group about a Snort preprocessor he'd written to detect the P2P traffic being used by Conficker.C to securely distribute updates and the like (his analysis is here). After discussing it with him briefly, I decided to port his preprocessor to an SO rule, figuring that a lot more people would be willing and/or able to load an SO rule for this than install a custom preprocessor.
That conversion is now complete. Based on tests run with PCAPs obtained from the CWG, the two SO rules here (one for TCP and another for UDP) appear to be extremely effective: for a single PCAP that spans just under 25 hours, 47,450 alerts are generated by the UDP rule; another 37,541 are generated by the TCP rule.
Since no IDS analyst wants to be flooded with that many alerts, it's obvious that some sort of thresholding is necessary. The good news is that thresholding can be applied to SO rules via threshold.conf, in the same way you would threshold any other rule. My testing, using "threshold gen_id 3, sig_id 999999 type both, track by_src, count 10, seconds 300;", brought the number of alerts down to a much more manageable 296 for both rules - one every five minutes. Anyone using these rules should tune the "seconds" parameter to a longer value if they want fewer alerts, and of course update the sig_id to reflect the SID they use to deploy these rules in their environment.
We're releasing these SO rules under the GPLv2 with Mr. Porras' consent, as an additional tool that can be used to investigate Conficker infections in the wild. That said, there are three things that anyone deploying this rule should keep in mind:
- The existing VRT Certified Rules for MS08-067 are still valid for detecting attempts to infect a machine with Conficker, and should still be enabled to prevent hosts from being compromised.
- These SO rules are considered experimental, and have not been run through the VRT test suite or in a production environment. There may be a performance impact when running them, and it is possible that false positives will be generated.
- They are primarily useful for researchers, or as an additional layer of information for people who are already using other tools to detect and eradicate Conficker infections.
The SO rules can be downloaded from http://www.snort.org/vrt/tools/conficker-so-rules.tar.gz.