Network Detection of Conficker infected machines

Please note that these signatures may be prone to false positives. The use of this signatures depending on your environment may result in increased load on your sensors. As we are made aware of changes to this signatures we will update them and add new ones to this page.

Conficker.A/B HTTP GET check in signatures (by Kevin Ross)

alert tcp $HOME_NET any -> 67.15.94.80 $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity"; flow:to_server,established; uricontent:"/GeoIP.dat.gz"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2008802; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; sid:2008802; rev:3;)

alert tcp $HOME_NET any -> [75.126.138.202,72.249.118.38,208.78.69.70,204.13.249.70,208.78.68.70] $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location"; flow:to_server; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; threshold:type both, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2008803; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; sid:2008803; rev:3;)

Conficker.A/B HTTP GET check in signatures (By RPG and Jack Pepper - Emerging Threats)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Downadup/Conficker A or B Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/\/search\?q\=[0-9]{1,3}\s+/mi"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; sid:2009024; rev:6;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Downadup/Conficker A Worm reporting"; flow:to_server,established; uricontent:"/search?q="; uricontent:"&aq="; pcre:"/\/search\?q\=\d+&aq=\d/mi"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009114; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; sid:2009114; rev:1;)

Sample snort signatures for UDP p2p traffic (by Shirkdog - Emerging Threats)

alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET
[!1720,!1722,!2427,!5060,1024:] (msg:"ET CURRENT_EVENTS Possible
Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value
1)"; dsize:>19; byte_test:1, &, 1, 19; threshold: type both, track
by_src, count 95, seconds 50; classtype:trojan-activity;
reference:url,mtc.sri.com/Conficker/addendumC/ ;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker ;
sid:666661; rev:3;)

alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET
[!1720,!1722,!2427,!5060,1024:] (msg:"ET CURRENT_EVENTS Possible
Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value
4)"; dsize:>19; byte_test:1, &, 4, 19; threshold: type both, track
by_src, count 95, seconds 40; classtype:trojan-activity;
reference:url,mtc.sri.com/Conficker/addendumC/ ;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker ;
sid:666662; rev:3;)

alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET
[!1720,!1722,!2427,!5060,1024:] (msg:"ET CURRENT_EVENTS Possible
Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value
5)"; dsize:>19; byte_test:1, &, 5, 19; threshold: type both, track
by_src, count 95, seconds 40; classtype:trojan-activity;
reference:url,mtc.sri.com/Conficker/addendumC/;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker ;
sid:666663; rev:3;)

alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET
[!1720,!1722,!2427,!5060,1024:] (msg:"ET CURRENT_EVENTS Possible
Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value
16)"; dsize:>19; byte_test:1, &, 16, 19; threshold: type both, track
by_src, count 95, seconds 40; classtype:trojan-activity;
reference:url,mtc.sri.com/Conficker/addendumC/ ;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker ;
sid:666664; rev:3;)

Snort signatures for Conficker.A/B shellcode (Felix Leder & Tillmann Werner - Honeynet project)

alert tcp any any -> $HOME_NET 445 (msg: "conficker.a shellcode"; content: "|e8 ff ff ff ff c1|^|8d|N|10 80|1|c4|Af|81|9EPu|f5 ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|IrX|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24|i| 95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 f7 04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1b|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; sid: 2000001; rev: 1;)

alert tcp any any -> $HOME_NET 445 (msg: "conficker.b shellcode"; content: "|e8 ff ff ff ff c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24 |i|95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 cb|{|04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; sid: 2000002; rev: 1;)