Beeing able to deal with recent vulnerabilities was a goal for dionaea.
As I received nothing which looked like conficker scans, I had to install conficker on a VM, and adjust things to make sure dionaea deals with it.
Once dionaea was able to deal with conficker, I deployed it, and waited for Conficker …
Last week I got impatient, as there was nothing even looking like conficker at all …
I asked Tillmann and Felix if something was wrong with Confickers scanning, they had a look, and we came to the point the ip generation for Conficker's random scanning was flawed.
Basically, Windows rand() provides 15 bits of random numbers, Conficker uses 2 rand() calls to create an ip address, so there are two non useable bits.
I'm not sure why we did not finish this, but at least I did not take it as a real problem.
Two days ago, I asked somebody about his experiences, I pushed him to deploy and test dionaea, and wanted to get some feedback.
He received about 28MByte unique files within a week, and claimed to have captured Conficker samples using dionaea …
I did not get Conficker scans yet …
Yesterday, while complaining about getting harassed from Conficker avoiding me, somebody said “I just get Conficker attacks on my honeytrap sensor”, and as he lended me some for-dionaea-testing-ips, which are very close to the ips for his own honeytrap honeypot, I expected to receive the first real world Conficker scans myself.
I was excited, … starring on the screen for about 15 minutes … nothing happend.
Other exploitations came in, but no Conficker.
Coming back to our discussion about Conficker's scanning bugs, Tillmann linked some slides from defcon "Making Fun of Malware". Page 19++ is dedicated to Conficker,
What’s the big deal? ... 5. Excludes any IP with a 1 in the upper bit of octets 2 and 4
Basically every IP address matching:
*.128.*.* to *.255.*.*
or
*.*.*.128 - *.*.*.255
is not scanned by Conficker, if you happen to live in such a range, you'll never see Conficker yourself.
For me, my dialin ip address matches *.203.*.*, I'll never see any Conficker scans there. The lended ips match the second exception, the person who saw the attacks was using addresses with the fourth byte < 128, I got the addresses with the fourth byte >= 128.
