General Telecommunications Forum Conficker C Analysis
Bookmark this page:  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Conficker C Analysis Monty Solomon 04-11-09
Posted by Monty Solomon on April 11, 2009, 9:18 am
Please log in for more thread options

SRI International
Technical Report

Addendum

Conficker C  Analysis
Phillip Porras, Hassen Saidi, and Vinod Yegneswaran

Release Date: 08 March 2009
Last Update:   4 April 2009

Computer Science Laboratory
SRI International
333 Ravenswood Avenue
Menlo Park CA 94025 USA


Introduction

This addendum provides an evolving snapshot of our understanding of
the latest Conficker variant, referred to as Conficker C.   The
variant was brought to the attention of the Conficker Working Group
when one member reported that a compromised Conficker B honeypot was
updated with a new dynamically linked library (DLL). Although a
network trace for this infection is not available, we suspect that
this DLL may have propagated via Conficker's Internet rendezvous
point mechanism (Global Network Impact).   The infection was found on
the morning of Friday, 6 March 2009 (PST), and it was later reported
that other working group members had received other DLL reinfections
throughout the same day.   Since that point, multiple members have
reported upgrades of previously infected machines to this latest
variant via HTTP-based Internet rendezvous points.  We believe this
latest outbreak of Conficker variant C began first spreading at
roughly 6 p.m. PST, 4 March 2009 (5 March UTC).

In this addendum report, we summarize the inner workings and
practical implications of this latest malicious software application
produced by the Conficker developers.   In addition to the dual
layers of packing and encryption used to protect A and B from reverse
engineering, this latest variant also cloaks its newest code
segments, along with its latest functionality, under a significant
layer of code obfuscation to further hinder binary analysis.
Nevertheless, with a careful mixture of static and dynamic analysis,
we attempt here to summarize the internal logic of Conficker C.

...

http://mtc.sri.com/Conficker/addendumC/


New:  Free Detection Utilities

Conficker C P2P Snort Detection Module
http://mtc.sri.com/Conficker/contrib/plugin.html

Conficker C Network Scanner
http://mtc.sri.com/Conficker/contrib/scanner.html


Posted by Colin on April 12, 2009, 1:12 pm
Please log in for more thread options
Quoting the article:

"Perhaps in the best case, Conficker may be used as a sustained and
profitable platform for massive Internet fraud and theft.  In the
worst case, Conficker could be turned into a powerful offensive weapon
for performing concerted information warfare attacks"

Surely the best case is that Conficker is preventing infected machines
from being infected by (other) malicious worms/viruses/spambots?

Regards,
Colin


Similar ThreadsPosted
Conficker C Analysis April 11, 2009, 9:18 am
An Analysis of Conficker April 11, 2009, 9:19 am
Conficker Worm March 30, 2009, 1:25 pm
AT&T Analysis Video January 26, 2007, 2:49 pm
Re: Conficker spam bots could send 400 billion emails per day [telecom] April 13, 2009, 10:50 pm
Analysis: Sprint's Big Bet on WiMAX December 27, 2006, 1:04 pm
Analysis: 2007 Looks Good For AT&T January 5, 2007, 12:54 pm
iPhone. I Really Want to Like it and Get it But ... Quick Analysis July 1, 2007, 5:24 pm
Re: iPhone. I Really Want to Like it and Get it But ... Quick Analysis July 2, 2007, 9:28 pm
The Conficker Worm: April Fool's Joke or Unthinkable Disaster? [Telecom] March 31, 2009, 11:45 am
re: The Conficker Worm: April Fool's Joke or Unthinkable Disaster? [Telecom] April 2, 2009, 5:03 am
Analysis: The iPhone moves into the enterprise March 8, 2008, 6:23 pm
Apple vs. Palm: the in-depth analysis January 30, 2009, 11:25 pm
analysis of the "9/11" pager info [telecom] December 1, 2009, 11:54 am
Analysis Tool For Wholesale Telecom Market December 11, 2005, 4:38 pm
Latest PostsForumRSS
NEWS: Samsung takes on the Apple iPad with the 7 inch Galaxy... Wireless Networking
c3560 port configuration Cisco Systems
Broadband 2010: A Big Slowdown [telecom] General Telecommunications Forum
Control Hot Water Circ Pump With X10? General Home Automation
Official Course CCNP TSHOOT 642-832 / Foundation Learning Gu... Cisco Certification
Speedflow Communications Honored for Innovation Voice-Over-IP
USB _to_ RJ45 (not from) connection Ethernet LAN
FAQ: Maximizing cable modem or DSL speed Cable Modems
CASH FOR CISCO - I BUY USED AND NEW EQUIPMENT & LOTS MOR... Telecom Technical
FAQ: Maximizing cable modem or DSL speed Digital Subscriber Line
How to set up Meridian 1 to "provide clock" to a C... Nortel Networks
New Discovery about WDM LAN and Telecom Cabling
Control Hot Water Circ Pump With X10? Home Automation
Text file to automate restoring a dropped VPN connection. Virtual Private Networks
Home Theater Installation Home Theater
Re: The Turkic Languages in a Nutshell Fiber Optics
sip Video Conferencing
Residential Cabling Guide Home Cabling Guide

Finally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language!

Click Here to learn more