Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Conficker C Variant: SRI Analysis

with 4 comments

Conclusion

We present an analysis of Conficker Variant C, which emerged on the Internet at roughly 6 p.m. (PST) on 4 March 2009.  This variant incorporates significant new functionality, including a new domain generation algorithm and a new peer-to-peer file sharing service.   Absent from our discussion has been any reference to the well-known attack propagation vectors (RCP buffer overflow, USB, and NetBios Scans) that have allowed C’s predecessors to saturate so much of the Internet.  Although not present in C, these attack propagation services are but one peer upload away from any C infected host, and may appear at any time.   C is, in fact, a robust and secure distribution utility for distributing malicious content and binaries to millions of computers across the Internet.   This utility incorporates a potent arsenal of methods to defend itself from security products, updates, and diagnosis tools.  It further demonstrates the rapid development pace at which Conficker’s authors are maintaining their current foothold on a large number of Internet-connected hosts.  Further, if organized into a coordinated offensive weapon, this multimillion-node botnet poses a serious and dire threat to the Internet.

Full report HERE

So, what does it all mean? What is the master plan for Conficker? The Cabal has not yet been able to find out who wrote it (but my guess is that they are Ukrainian) to track them down. Everything just looms over us as April 1 approaches and its activation day comes.

What’s missing here is the actual commands that the code is supposed to enact on April 1 though. I am sure they have decoded the bug and know, so why not let us all know? Perhaps the game is afoot and they plan on stopping a mass attack. Who knows…

What I find really interesting about the Conficker updates is that they seem to have thought this out very well. With the random DNS calls, the random sleep times, and other methods to obfuscate its presence, this bug would seem to have the ability to propagate itself, attack the internet, and possibly pass data to the herders at an incredible rate. All the while it would be unable to be stopped by common IDS/Friewalls etc.

April 1 will be interesting to say the least…

Written by Krypt3ia

2009/03/24 at 11:24

4 Responses

Subscribe to comments with RSS.

  1. […] Conficker C Variant: SRI Analysis […]

  2. Hi,

    Good article. Sophos’ Conficker removal tool can detect and remove all variants of the worm/virus.

    As long as people run these tools it should stop any serious outbreak.

    James

    James

    2009/03/24 at 18:23

  3. Yeah, I downloaded that tool and provided it to a client already. However, with the rate at which these guys are creating updates and countermeasures, I cannot think that this tool will stay as relevant as one would like. A secondary note is that of the people on the net (home users as well as companies etc) there are all too many who are unaware of this threat as well as not technically savvy enough to even know they are infected.

    We will just have to see what happens on 4/1

    crabbyolbastard

    2009/03/24 at 18:59

  4. Conficker.A and Conficker.B can both be removed using free software like F-Secure’s Downadup removal software as well as bdtools which was made just for this. However Conficker.C has to be removed manually still. In just another day a fix will be made for it. You can view the Microsoft site for more information on how to remove this manually.

    Conficker Removal

    2009/04/01 at 00:05


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: