Wednesday, March 25, 2009

Conficker.C Purchase tickets now for the April 1st event

Recap.

Conficker.C also known as W32/Conficker.C.worm, WORM_DOWNAD.AD,W32.Downadup,Net-Worm.Win32.Kido.cn

Still uses MS08-067 to spread itself just like the A and B variants, therefore the detection released on 2008-10-23 still generates events based on this spreading mechanism.

Now for something completely different.

The interesting thing about Conficker.C is that it added new functionality, which includes:

  1. A new DNS algorithem
  2. A new P2P controlling system
  3. A new call home date of April 1st

For a great summary of all of this, the guys over at SRI, have updated their paper[0] on Conficker.

Finally, one of our current research projects is adding variant A,B and C DNS name matching to Snort. Unfortunately, making this work on multiple platforms and multiple compilers seem to be a major pain. If there is a gcc or icc developer that reads this blog, explaining how to force intermediate 53-bit floating point precision on both icc and gcc would be helpful. Unfortunately, the -msse2 compiler option doesn't do this on gcc and the icc fp-module double doesn't work on all icc versions.

[0] - http://mtc.sri.com/Conficker/addendumC/

3 comments:

  1. how in the world would such a ridiculous worm get in my system in the first place, i wonder?

    ReplyDelete
  2. Hi to all,
    about domain name used by conficker.c if you are interested I have try to find some simple attractors from the domain name pseudo random algorithm used by this variant. The result, if my analisys is correct, I think that it may be used as additional evidence parameter for conficker.c spreading inside a network.

    Many thanks to vrt-sourcefire for their great posts.

    ReplyDelete
  3. exploit dev, sure feel free to contact us at research <-a-t-> sourcefire.com

    pgp key is on pgp.mit.edu if you need our public key to send data.

    ReplyDelete

Post a Comment