Conficker Diary

04 February 2009
An Analysis of Conficker's Logic and Rendezvous Points:
Describes Conficker Variants A and B

18 February 2009
Update: An Analysis of Conficker's Logic and Rendezvous Points:
Introduces Conficker Variant B++

08 March 2009
Conficker  C Analysis:
Describes Conficker Variant C.

03 March 2009

In a blog entry dated Feb 24, 2009, Patrick Fitzgerald from Symantec points out that one of his colleagues (Eric Chien) had analyzed the P2P behavior of Conficker. The article suggests that the B++ variant we describe in our current article is previously described.

While we are aware of this (Eric's) Symantec article, and indeed cite it in our report, there are fundamental differences between the two write-ups.

At this point, we are not sure if Eric's blog entry refers to the original B-variant we analyzed, B++, or a different variant.

Nevertheless, our report is the first  to demonstrate that there are at least two variants of B (B, B++), which contact the same set of rendezvous points and that the differences between these variants run deeper than MD5s. With the rendezvous points vector largely defanged by the actions of the Cabal, the former presents a less potent threat than the latter. Thus, knowing the differences between these two families (and their respective sizes) is critical in assessing the magnitude of Conficker's threat.

03 March 2009

We fixed the Conficker Modulus values displayed in Table 1.