Conflicker update.
Results 1 to 2 of 2

Thread: Conflicker update.

  1. #1
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003

    Conflicker update.

    I've started using the podcast feature from ISC (new IPOD ).. Lately conflicker has gained lot of news. It’s the first of its kind malware that's actually showing how stealth has come a long way into malware(s).

    The kind of techniques that conflicker uses is really amazing and this one was definitely not written to impress some dancer in a bar..

    It uses RC4 stream cipher and a 512-bit key as a fast way to decrypt the file downloaded from a queried server. However, it will do so only if the downloaded file has been digitally signed using a public key scheme with a 4096-bit key.
    During the execution, Conficker calls the SLDT instruction many times. The SLDT instruction stores the Local Descriptor Table in a register that is then compared by Conficker with certain values. This allows Conficker to detect if it's running in a virtual machine – LDT of a native system will be 0x0000 while in VMWare (or VirtualPC) LDT will be relocated (for example, in VMWare 4 it will often be 0x4058). You can see in the code above that Conficker compares the result of the SLDT instruction with 0. If it is 0, the execution continues, otherwise Conficker calls the Sleep function with the value of -1 (0xFFFFFFFF) – this will cause the process to sleep for 29826 hours (so, like forever).

    These are really few of the techniques and coding that makes this malware a great learning platform for almost all of us..

    I don't know how many of you're actually following this but since we're in process of migrating to different AV (from few months now :O), I found it great to set up traps and help educate myself more in security field.


    For those who care to check out :

    http://mtc.sri.com/Conficker/addendumC/index.html (that for version c - latest)

    http://mtc.sri.com/Conficker



    Thanks and if you've / you're dealing with conflicker problem in your organization please let me know your experience towards it.. Also share your general opinion about the malware..

    Thanks,
    Byte~
    Last edited by ByTeWrangler; March 23rd, 2009 at 08:45 PM.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  2. #2
    Junior Member
    Join Date
    Mar 2003
    Posts
    12
    I've been following it since the first variant and it is a very impressive worm.

    I think we can expect Conficker.D shortly, If the SMB2 vulnerability in Vista shows that remote code execution is possible, which i think it is, its just a matter of time before the authors implement it
    silent play in the shadow of power...

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 01:51 PM
  2. Copying updates
    By Cider in forum Operating Systems
    Replies: 10
    Last Post: March 21st, 2006, 08:30 PM
  3. How to keep Windows 2000, XP, 2003 and Office update painless!
    By SDK in forum The Security Tutorials Forum
    Replies: 2
    Last Post: December 8th, 2005, 11:02 AM
  4. August security hotfixes
    By mohaughn in forum Microsoft Security Discussions
    Replies: 1
    Last Post: August 9th, 2005, 07:37 PM
  5. October MS updates
    By mohaughn in forum Microsoft Security Discussions
    Replies: 2
    Last Post: October 13th, 2004, 04:31 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides