Description

• Probable Name: Conficker
• MD5: d60e538e721c30a0ea946404330f324a
• SHA1: 9dd06ad207cddfee4a2b0be80c155b3d5580b20c

• SHA256: 9be0ca5c97f46b42e52e23a47a9a3d0bf6e12c697ad2f1947b0810566ae5e7bc

• VirusTotal
• HybridAnalysis

• RobotHash

This capture was used as 'botnet1' for the IGI book chapter research.

http://www.threatexpert.com/report.aspx?md5=d60e538e721c30a0ea946404330f324a

Timeline

Mon Sept 7 22:36:12 ART 2009

Experiment 1

Description: Infected the vm. Pcap file: 192.168.3.104-unvirus.pcap tcpdump: tcpdump -n -s0 -i wlan0 -w 192.168.3.104-unvirus.pcap host 192.168.3.104 -v Started: Mon Sep 7 22:29:48 2009
Finished: Tue Sep 8 09:42:17 2009

Results: It was successfully infected. It started to scan for other hosts in the LAN. Usually the CC was down, but for some reason this time the CC answered.

Traffic Analysis

• Resolve s.unicat.org to 66.252.13.214
• It connects to the port 2081 of that server, it is an IRC server. 1st conection at "Sep 7, 2009 22:34:00.590407000" -> NICK F-tzuqboi <- adv.start asn 100 5 0 -r -s <- oP 1252308071
• There it starts to scan all the /16 net
  • Several 10-hosts scans, 20 packets at time
  • Every 10-hosts scan is done at the same second (2 SYN packets per host. It sends two packets because i think that the hosts has 2 net cards, one with MAC IntelCor_45:96:ab (00:1f:3c:45:96:ab) and the other with MAC CadmusCo_34:70:79 (08:00:27:34:70:79))
  • Each scan is separated by some seconds
    • 1 and 2 : ~12 seconds
    • 2 and 3 : ~3 seconds
    • 3 and 4 : ~6 seconds
    • 4 and 5 : ~7 seconds
    • 5 and 6 : ~3 seconds
    • 6 and 7 : ~13 seconds
    • 7 and 8 : ~3 seconds (
    • 8 and 9 : ~6 seconds
    • 9 and 10 : ~12 seconds
    • 10 and 11 : ~3 seconds
    • 11 and 12 : ~6 seconds
    • 12 and 13 : ~12 seconds
    • 13 and 14 : ~3 seconds
    • 14 and 16 : ~6 seconds
    • 16 and 17 : ~12 seconds
    • 17 and 18 : ~3 seconds
    • 18 and 19 : ~6 seconds
    • 19 and 20 : ~12 seconds
    • more...
• connects again to the IRC every time the connection is down. 2nd connection at "Sept 7, 2009 22:35:06.120299000" -> NICK F-lgieurx <- .adv.start asn 100 5 0 -r -s <- oP 1252308071
• Connects again, 3rd connection at "Sept 7, 2009 22:49:50.896774000" -> NICK F-pfpmdhig <- .adv.start asn 100 5 0 -r -s <- oP 1252308071
• Keeps scanning
• Connects again at "Sept 7, 2009 22:50:24.182221000". This one is long! -> NICK F-pxkxleum <- .adv.start asn 100 5 0 -r -s <- oP 1252308071
• Connects again, 5ta and last connection at "Sept 8, 2009 05:33:24.303573000". This one is long "Sept 8, 2009 09:40:54.469879000" -> NICK F-insxirlw <- .adv.start asn 100 5 0 -r -s <- oP 1252308071