Peer-to-Peer Network Security

Mumbai – April 14, 2009 17:24 hrs IST

April 1 came and went with no signs of the havoc Conficker was expected to cause. However, the worm is now showing signs of activity again and security experts have given a new date to watch for May 3.

Around the early part of April, Conficker started using peer-to-peer (P2P) communication channels to hunt for upgrades, rather than the expected HTTP links. In this case, the infected hosts are contacted initially by another host over an ad-hoc P2P connection. Then, after a period of several hours, the communication begins again – starting this time from the infected host.

According to McAfee, the communication is done in such a manner that this traffic (or update) may go unseen – or at least mostly under the radar, by using fragmented and irregular UDP communication.

So what happens next? When this P2P communication stream ends, the host is basically told to go to a domain and download a file. The infected host goes out to an address and an encrypted executable file is downloaded. Once executed, it could contain malware such as the ever-changing FakeAlert or even Waledac. Also downloaded as part of the payload, we again have the MS08-067-like “hot” patch. This time however, it is closer to the original patch – so as to elude detection.

The Conficker worm has given headaches to CISOs and information security consultants because of its evolving nature. This latest variant is now expected to expire on May 3rd, says McAfee, when the worm will receive a new update. Also, the worm has gotten more efficient. When an infected host resolves a HTTP rendezvous domain name, it compares the IP resolved with the list of IPs it already queried, if the new IP is in the list, it will move on to the next domain in its list.