Conficker.C also known as W32/Conficker.C.worm, WORM_DOWNAD.AD,W32.Downadup,Net-Worm.Win32.Kido.cn
Still uses MS08-067 to spread itself just like the A and B variants, therefore the detection released on 2008-10-23 still generates events based on this spreading mechanism.
Now for something completely different.
The interesting thing about Conficker.C is that it added new functionality, which includes:
- A new DNS algorithem
- A new P2P controlling system
- A new call home date of April 1st
For a great summary of all of this, the guys over at SRI, have updated their paper[0] on Conficker.
Finally, one of our current research projects is adding variant A,B and C DNS name matching to Snort. Unfortunately, making this work on multiple platforms and multiple compilers seem to be a major pain. If there is a gcc or icc developer that reads this blog, explaining how to force intermediate 53-bit floating point precision on both icc and gcc would be helpful. Unfortunately, the
-msse2
compiler option doesn't do this on gcc and the icc fp-module double doesn't work on all icc versions.[0] - http://mtc.sri.com/Conficker/addendumC/
how in the world would such a ridiculous worm get in my system in the first place, i wonder?
ReplyDeleteHi to all,
ReplyDeleteabout domain name used by conficker.c if you are interested I have try to find some simple attractors from the domain name pseudo random algorithm used by this variant. The result, if my analisys is correct, I think that it may be used as additional evidence parameter for conficker.c spreading inside a network.
Many thanks to vrt-sourcefire for their great posts.
exploit dev, sure feel free to contact us at research <-a-t-> sourcefire.com
ReplyDeletepgp key is on pgp.mit.edu if you need our public key to send data.