I've started using the podcast feature from ISC (new IPOD :D).. Lately conflicker has gained lot of news. It’s the first of its kind malware that's actually showing how stealth has come a long way into malware(s).
The kind of techniques that conflicker uses is really amazing and this one was definitely not written to impress some dancer in a bar..
It uses RC4 stream cipher and a 512-bit key as a fast way to decrypt the file downloaded from a queried server. However, it will do so only if the downloaded file has been digitally signed using a public key scheme with a 4096-bit key.
During the execution, Conficker calls the SLDT instruction many times. The SLDT instruction stores the Local Descriptor Table in a register that is then compared by Conficker with certain values. This allows Conficker to detect if it's running in a virtual machine – LDT of a native system will be 0x0000 while in VMWare (or VirtualPC) LDT will be relocated (for example, in VMWare 4 it will often be 0x4058). You can see in the code above that Conficker compares the result of the SLDT instruction with 0. If it is 0, the execution continues, otherwise Conficker calls the Sleep function with the value of -1 (0xFFFFFFFF) – this will cause the process to sleep for 29826 hours (so, like forever).
These are really few of the techniques and coding that makes this malware a great learning platform for almost all of us..
I don't know how many of you're actually following this but since we're in process of migrating to different AV (from few months now :O), I found it great to set up traps and help educate myself more in security field.
For those who care to check out :
http://mtc.sri.com/Conficker/addendumC/index.html (that for version c - latest)
Thanks and if you've / you're dealing with conflicker problem in your organization please let me know your experience towards it.. Also share your general opinion about the malware..