Conficker C Variant: SRI Analysis
We present an analysis of Conficker Variant C, which emerged on the Internet at roughly 6 p.m. (PST) on 4 March 2009. This variant incorporates significant new functionality, including a new domain generation algorithm and a new peer-to-peer file sharing service. Absent from our discussion has been any reference to the well-known attack propagation vectors (RCP buffer overflow, USB, and NetBios Scans) that have allowed C’s predecessors to saturate so much of the Internet. Although not present in C, these attack propagation services are but one peer upload away from any C infected host, and may appear at any time. C is, in fact, a robust and secure distribution utility for distributing malicious content and binaries to millions of computers across the Internet. This utility incorporates a potent arsenal of methods to defend itself from security products, updates, and diagnosis tools. It further demonstrates the rapid development pace at which Conficker’s authors are maintaining their current foothold on a large number of Internet-connected hosts. Further, if organized into a coordinated offensive weapon, this multimillion-node botnet poses a serious and dire threat to the Internet.
Full report HERE
So, what does it all mean? What is the master plan for Conficker? The Cabal has not yet been able to find out who wrote it (but my guess is that they are Ukrainian) to track them down. Everything just looms over us as April 1 approaches and its activation day comes.
What’s missing here is the actual commands that the code is supposed to enact on April 1 though. I am sure they have decoded the bug and know, so why not let us all know? Perhaps the game is afoot and they plan on stopping a mass attack. Who knows…
What I find really interesting about the Conficker updates is that they seem to have thought this out very well. With the random DNS calls, the random sleep times, and other methods to obfuscate its presence, this bug would seem to have the ability to propagate itself, attack the internet, and possibly pass data to the herders at an incredible rate. All the while it would be unable to be stopped by common IDS/Friewalls etc.
April 1 will be interesting to say the least…