Beeing able to deal with recent vulnerabilities was a goal for dionaea.
As I received nothing which looked like conficker scans, I had to install conficker on a VM, and adjust things to make sure dionaea deals with it.
Once dionaea was able to deal with conficker, I deployed it, and waited for Conficker …
Last week I got impatient, as there was nothing even looking like conficker at all …
I asked Tillmann and Felix if something was wrong with Confickers scanning, they had a look, and we came to the point the ip generation for Conficker's random scanning was flawed.
Basically, Windows rand() provides 15 bits of random numbers, Conficker uses 2 rand() calls to create an ip address, so there are two non useable bits.
I'm not sure why we did not finish this, but at least I did not take it as a real problem.
Two days ago, I asked somebody about his experiences, I pushed him to deploy and test dionaea, and wanted to get some feedback.
He received about 28MByte unique files within a week, and claimed to have captured Conficker samples using dionaea …
I did not get Conficker scans yet …
Yesterday, while complaining about getting harassed from Conficker avoiding me, somebody said “I just get Conficker attacks on my honeytrap sensor”, and as he lended me some for-dionaea-testing-ips, which are very close to the ips for his own honeytrap honeypot, I expected to receive the first real world Conficker scans myself.
I was excited, … starring on the screen for about 15 minutes … nothing happend.
Other exploitations came in, but no Conficker.
Coming back to our discussion about Conficker's scanning bugs, Tillmann linked some slides from defcon "Making Fun of Malware".
Page 19++ is dedicated to Conficker,
What’s the big deal?
5. Excludes any IP with a 1 in the upper bit of octets 2 and 4
Basically every IP address matching:
*.128.*.* to *.255.*.*
*.*.*.128 - *.*.*.255
is not scanned by Conficker, if you happen to live in such a range, you'll never see Conficker yourself.
For me, my dialin ip address matches *.203.*.*, I'll never see any Conficker scans there.
The lended ips match the second exception, the person who saw the attacks was using addresses with the fourth byte < 128, I got the addresses with the fourth byte >= 128.
I failed interpreting our own findings on Confickers scanning bug
Dionaea can deal with Conficker
if you do not get any Conficker exploitations with dionaea, you may want to verify your ip address is not within the masked ranges.