Conficker Diary |
04 February 2009
An Analysis of Conficker's Logic and Rendezvous Points: http://mtc.sri.com
Describes Conficker Variants A and B
18 February 2009
Update: An Analysis of Conficker's Logic and Rendezvous Points: http://mtc.sri.com
Introduces Conficker Variant B++
08 March 2009
Conficker C Analysis: http://mtc.sri.com/addendumC
Describes Conficker Variant C.
03 March 2009
In a blog entry dated Feb 24, 2009,
Patrick Fitzgerald from Symantec
points
out that one of his colleagues (Eric Chien) had analyzed the
P2P behavior of Conficker. The article suggests that the B++ variant we
describe in our current article is previously described.
While we are aware of this
(Eric's) Symantec article, and indeed cite it in our report,
there are fundamental differences between the two write-ups.
- 1) The Symantec article does not illustrate that there are multiple variants of B. It simply says B has two mechanisms to distribute payload: rendezvous points and upload_through_patch mechanism. This led us to believe the original version of B was being discussed. It turns out the upload_through_patch mechanism might be absent in the original B version and this article was referencing a more advanced version.
- 2) It does not make any reference to named-pipes being used as a delivery mechanism.
At this point, we are not sure if Eric's blog entry refers to the original B-variant we analyzed, B++, or a different variant.
Nevertheless, our report is the first to demonstrate that there are at least two variants of B (B, B++), which contact the same set of rendezvous points and that the differences between these variants run deeper than MD5s. With the rendezvous points vector largely defanged by the actions of the Cabal, the former presents a less potent threat than the latter. Thus, knowing the differences between these two families (and their respective sizes) is critical in assessing the magnitude of Conficker's threat.
03
March 2009
We fixed the Conficker Modulus values displayed in Table 1.
We fixed the Conficker Modulus values displayed in Table 1.