Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for March 24th, 2009

Conficker C Variant: SRI Analysis

with 4 comments

Conclusion

We present an analysis of Conficker Variant C, which emerged on the Internet at roughly 6 p.m. (PST) on 4 March 2009.  This variant incorporates significant new functionality, including a new domain generation algorithm and a new peer-to-peer file sharing service.   Absent from our discussion has been any reference to the well-known attack propagation vectors (RCP buffer overflow, USB, and NetBios Scans) that have allowed C’s predecessors to saturate so much of the Internet.  Although not present in C, these attack propagation services are but one peer upload away from any C infected host, and may appear at any time.   C is, in fact, a robust and secure distribution utility for distributing malicious content and binaries to millions of computers across the Internet.   This utility incorporates a potent arsenal of methods to defend itself from security products, updates, and diagnosis tools.  It further demonstrates the rapid development pace at which Conficker’s authors are maintaining their current foothold on a large number of Internet-connected hosts.  Further, if organized into a coordinated offensive weapon, this multimillion-node botnet poses a serious and dire threat to the Internet.

Full report HERE

So, what does it all mean? What is the master plan for Conficker? The Cabal has not yet been able to find out who wrote it (but my guess is that they are Ukrainian) to track them down. Everything just looms over us as April 1 approaches and its activation day comes.

What’s missing here is the actual commands that the code is supposed to enact on April 1 though. I am sure they have decoded the bug and know, so why not let us all know? Perhaps the game is afoot and they plan on stopping a mass attack. Who knows…

What I find really interesting about the Conficker updates is that they seem to have thought this out very well. With the random DNS calls, the random sleep times, and other methods to obfuscate its presence, this bug would seem to have the ability to propagate itself, attack the internet, and possibly pass data to the herders at an incredible rate. All the while it would be unable to be stopped by common IDS/Friewalls etc.

April 1 will be interesting to say the least…

Written by Krypt3ia

2009/03/24 at 11:24

It’s 3am.. Who You Gonna Call?

leave a comment »

Ok, not that I am overly freaked out by things, but, this is the second night that something has awakened me at 3AM…

Dead asleep and BEEP BEEP BEEP BEEP the CO alarm in the bedroom here goes at EXACTLY at 3am! This is the second night that this has happened since moving in. The first time I don’t know what awoke me, but I was asleep then BING! awake and looking for the cause. Of course this is all coincidence right? I mean, I had those dreams about the house and walking out to find the previous owners husband in my living room sitting on the couch… But, that’s just my imagination running away with my logical brain right?

So, here I sit in bed with the laptop, wide awake after searching the house for more CO alarms and finding nothing. Now, the CO detector seems to have an old sensor (do not install after Dec 2008) is printed on it, so I guess it is out of date. So, it stands to reason that it’s likely to malfunction and scream right? I even went to the First Alert site and they said it may go off if the sensor was old.

I checked the web for false alarms and CO and man, First Alert even claims that pets can set the damn thing off! Huh? WTF man! I will get another one tomorrow and see I guess. Meanwhile we have the windows open in the bedroom just in case, but we present no signs of CO poisoning.

Oh well.. Anyone have a used proton pack they want to sell?

Written by Krypt3ia

2009/03/24 at 08:16