Recap.

Conficker.C also known as W32/Conficker.C.worm, WORM_DOWNAD.AD,W32.Downadup,Net-Worm.Win32.Kido.cn

Still uses MS08-067 to spread itself just like the A and B variants, therefore the detection released on 2008-10-23 still generates events based on this spreading mechanism.

Now for something completely different.

The interesting thing about Conficker.C is that it added new functionality, which includes:


  1. A new DNS algorithem
  2. A new P2P controlling system
  3. A new call home date of April 1st

    For a great summary of all of this, the guys over at SRI, have updated their paper[0] on Conficker.

Finally, one of our current research projects is adding variant A,B and C DNS name matching to Snort. Unfortunately, making this work on multiple platforms and multiple compilers seem to be a major pain. If there is a gcc or icc developer that reads this blog, explaining how to force intermediate 53-bit floating point precision on both icc and gcc would be helpful. Unfortunately, the -msse2 compiler option doesn't do this on gcc and the icc fp-module double doesn't work on all icc versions.

[0] - http://mtc.sri.com/Conficker/addendumC/