If you were Registered and logged in, you could reply and use other advanced thread options
|
Posted by Monty Solomon on April 11, 2009, 9:18 am
SRI International
Technical Report
Addendum
Conficker C Analysis
Phillip Porras, Hassen Saidi, and Vinod Yegneswaran
Release Date: 08 March 2009
Last Update: 4 April 2009
Computer Science Laboratory
SRI International
333 Ravenswood Avenue
Menlo Park CA 94025 USA
Introduction
This addendum provides an evolving snapshot of our understanding of
the latest Conficker variant, referred to as Conficker C. The
variant was brought to the attention of the Conficker Working Group
when one member reported that a compromised Conficker B honeypot was
updated with a new dynamically linked library (DLL). Although a
network trace for this infection is not available, we suspect that
this DLL may have propagated via Conficker's Internet rendezvous
point mechanism (Global Network Impact). The infection was found on
the morning of Friday, 6 March 2009 (PST), and it was later reported
that other working group members had received other DLL reinfections
throughout the same day. Since that point, multiple members have
reported upgrades of previously infected machines to this latest
variant via HTTP-based Internet rendezvous points. We believe this
latest outbreak of Conficker variant C began first spreading at
roughly 6 p.m. PST, 4 March 2009 (5 March UTC).
In this addendum report, we summarize the inner workings and
practical implications of this latest malicious software application
produced by the Conficker developers. In addition to the dual
layers of packing and encryption used to protect A and B from reverse
engineering, this latest variant also cloaks its newest code
segments, along with its latest functionality, under a significant
layer of code obfuscation to further hinder binary analysis.
Nevertheless, with a careful mixture of static and dynamic analysis,
we attempt here to summarize the internal logic of Conficker C.
...
http://mtc.sri.com/Conficker/addendumC/
New: Free Detection Utilities
Conficker C P2P Snort Detection Module
http://mtc.sri.com/Conficker/contrib/plugin.html
Conficker C Network Scanner
http://mtc.sri.com/Conficker/contrib/scanner.html
|
|
Posted by Colin on April 12, 2009, 1:12 pm
Quoting the article:
"Perhaps in the best case, Conficker may be used as a sustained and
profitable platform for massive Internet fraud and theft. In the
worst case, Conficker could be turned into a powerful offensive weapon
for performing concerted information warfare attacks"
Surely the best case is that Conficker is preventing infected machines
from being infected by (other) malicious worms/viruses/spambots?
Regards,
Colin
|
| Similar Threads | Posted | | An Analysis of Conficker | April 11, 2009, 9:19 am |
| Conficker Worm | March 30, 2009, 1:25 pm |
| AT&T Analysis Video | January 26, 2007, 2:49 pm |
| Re: Conficker spam bots could send 400 billion emails per day [telecom] | April 13, 2009, 10:50 pm |
| Analysis: Sprint's Big Bet on WiMAX | December 27, 2006, 1:04 pm |
| Analysis: 2007 Looks Good For AT&T | January 5, 2007, 12:54 pm |
| iPhone. I Really Want to Like it and Get it But ... Quick Analysis | July 1, 2007, 5:24 pm |
| Re: iPhone. I Really Want to Like it and Get it But ... Quick Analysis | July 2, 2007, 9:28 pm |
| The Conficker Worm: April Fool's Joke or Unthinkable Disaster? [Telecom] | March 31, 2009, 11:45 am |
| re: The Conficker Worm: April Fool's Joke or Unthinkable Disaster? [Telecom] | April 2, 2009, 5:03 am |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map