Recap.
Conficker.C also known as W32/Conficker.C.worm, WORM_DOWNAD.AD,W32.Downadup,Net-Worm.Win32.Kido.cn
Still uses MS08-067 to spread itself just like the A and B variants, therefore the detection released on 2008-10-23 still generates events based on this spreading mechanism.
Now for something completely different.
The interesting thing about Conficker.C is that it added new functionality, which includes:
- A new DNS algorithem
- A new P2P controlling system
- A new call home date of April 1st
For a great summary of all of this, the guys over at SRI, have updated their paper[0] on Conficker.
Finally, one of our current research projects is adding variant A,B and C DNS name matching to Snort. Unfortunately, making this work on multiple platforms and multiple compilers seem to be a major pain. If there is a gcc or icc developer that reads this blog, explaining how to force intermediate 53-bit floating point precision on both icc and gcc would be helpful. Unfortunately, the -msse2 compiler option doesn't do this on gcc and the icc fp-module double doesn't work on all icc versions.