-
March 23rd, 2009, 08:25 PM
#1
Conflicker update.
I've started using the podcast feature from ISC (new IPOD ).. Lately conflicker has gained lot of news. It’s the first of its kind malware that's actually showing how stealth has come a long way into malware(s).
The kind of techniques that conflicker uses is really amazing and this one was definitely not written to impress some dancer in a bar..
It uses RC4 stream cipher and a 512-bit key as a fast way to decrypt the file downloaded from a queried server. However, it will do so only if the downloaded file has been digitally signed using a public key scheme with a 4096-bit key.
During the execution, Conficker calls the SLDT instruction many times. The SLDT instruction stores the Local Descriptor Table in a register that is then compared by Conficker with certain values. This allows Conficker to detect if it's running in a virtual machine – LDT of a native system will be 0x0000 while in VMWare (or VirtualPC) LDT will be relocated (for example, in VMWare 4 it will often be 0x4058). You can see in the code above that Conficker compares the result of the SLDT instruction with 0. If it is 0, the execution continues, otherwise Conficker calls the Sleep function with the value of -1 (0xFFFFFFFF) – this will cause the process to sleep for 29826 hours (so, like forever).
These are really few of the techniques and coding that makes this malware a great learning platform for almost all of us..
I don't know how many of you're actually following this but since we're in process of migrating to different AV (from few months now :O), I found it great to set up traps and help educate myself more in security field.
For those who care to check out :
http://mtc.sri.com/Conficker/addendumC/index.html (that for version c - latest)
http://mtc.sri.com/Conficker
Thanks and if you've / you're dealing with conflicker problem in your organization please let me know your experience towards it.. Also share your general opinion about the malware..
Thanks,
Byte~
Last edited by ByTeWrangler; March 23rd, 2009 at 08:45 PM.
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
September 16th, 2009, 10:38 AM
#2
I've been following it since the first variant and it is a very impressive worm.
I think we can expect Conficker.D shortly, If the SMB2 vulnerability in Vista shows that remote code execution is possible, which i think it is, its just a matter of time before the authors implement it
silent play in the shadow of power...
Similar Threads
-
By cheyenne1212 in forum Miscellaneous Security Discussions
Replies: 7
Last Post: February 1st, 2012, 02:51 PM
-
By Cider in forum Operating Systems
Replies: 10
Last Post: March 21st, 2006, 09:30 PM
-
By SDK in forum The Security Tutorials Forum
Replies: 2
Last Post: December 8th, 2005, 12:02 PM
-
By mohaughn in forum Microsoft Security Discussions
Replies: 1
Last Post: August 9th, 2005, 07:37 PM
-
By mohaughn in forum Microsoft Security Discussions
Replies: 2
Last Post: October 13th, 2004, 04:31 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|