All Conficker C hosts perform outbound P2P scanning in search of other C infected peers. Each C-infected host opens four
network ports in listen mode: 2 TCP ports and 2 UDP. These four listen ports are derived from a function of the host's own IP address and the current epoch week. To illustrate the algorithm used to compute C's P2P client listen ports, we include a source code example C implementation, which we reverse-engineered from a Conficker C binary captured on 5 March 2009.
Conficker_C_P2P_Scanner will scan the low-thru-high address range in search of IP addresses that have established TCP listen ports on their associated Conficker C P2P listen ports. An alarm is provided each time a host is found to be listening on its P2P listen port.
Plattform
Linux/UNIX
Language
English
Download Link
0 comments:
Post a Comment