Conficker C Analysis

SRI International Technical Report


Conficker C Analysis Phillip Porras, Hassen Saidi, and Vinod Yegneswaran

Release Date: 08 March 2009 Last Update: 4 April 2009

Computer Science Laboratory SRI International

333 Ravenswood Avenue Menlo Park CA 94025 USA


This addendum provides an evolving snapshot of our understanding of the latest Conficker variant, referred to as Conficker C. The variant was brought to the attention of the Conficker Working Group when one member reported that a compromised Conficker B honeypot was updated with a new dynamically linked library (DLL). Although a network trace for this infection is not available, we suspect that this DLL may have propagated via Conficker's Internet rendezvous point mechanism (Global Network Impact). The infection was found on the morning of Friday, 6 March 2009 (PST), and it was later reported that other working group members had received other DLL reinfections throughout the same day. Since that point, multiple members have reported upgrades of previously infected machines to this latest variant via HTTP-based Internet rendezvous points. We believe this latest outbreak of Conficker variant C began first spreading at roughly 6 p.m. PST, 4 March 2009 (5 March UTC).

In this addendum report, we summarize the inner workings and practical implications of this latest malicious software application produced by the Conficker developers. In addition to the dual layers of packing and encryption used to protect A and B from reverse engineering, this latest variant also cloaks its newest code segments, along with its latest functionality, under a significant layer of code obfuscation to further hinder binary analysis. Nevertheless, with a careful mixture of static and dynamic analysis, we attempt here to summarize the internal logic of Conficker C.


formatting link

New: Free Detection Utilities

Conficker C P2P Snort Detection Module

formatting link
Conficker C Network Scanner
formatting link

Reply to
Monty Solomon
Loading thread data ...

Quoting the article:

"Perhaps in the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft. In the worst case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks"

Surely the best case is that Conficker is preventing infected machines from being infected by (other) malicious worms/viruses/spambots?

Regards, Colin

Reply to
Colin Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.