Share
The Conficker stories are sure to heat up over the coming week, thanks to new information released by researchers at SRI International. The research details new insight into the Conficker Worm, and the criminals who developed it. A new variant has been spotted, and the alterations to the code show that whoever wrote it knows that security vendors are fighting it, and now the Worm wants to fight back.
A new variant of Conficker has emerged. Are you ready for Conficker B++? (IMG:MovieWallpapers)
SRI International took a long hard look at the new code in the Conficker variant discovered as early as February 6 and sent to SRI on February 16. The detailed look at the malicious code showed that of the 297 subroutines that made up the original Conficker B Worm that has spread to millions of systems around the world, this new set of code modified three subroutines and added 39 more. Thus, the original assumption that this was the same Worm in new packaging was defeated. This is not the same Worm, this new variant is something else, and has earned the name Conficker B++.
While most of the Conficker routines remain the same on B++, the new code is aimed at defeating the efforts of the Conficker Cabal, who are fighting the original Conficker infection by blocking off access to the domains it generates. They are able to block those domains because they cracked the original code and determined how the Worm gets its commands and instructions.
Conficker will generate a random set of domain names, and once it has this list, will connect to the domains and check for updates or instructions. Researchers were able to crack the code and see how the domains were generated, and doing so allowed them to predict the names that should be created. They then moved to shut the existing domains down, and block access to the new ones.
However, in B++ the authors of Conficker have developed new code that will circumvent the methods used by those who are fighting the Worm.
“Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker's authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach,” the SRI research stated.
So while the infection methods remain the same, the update methods are changing. This is a perfect example of how security researchers and companies play a continuous game of cat and mouse. They created a way to defeat the Worm’s update method, the Worm author developed a different method that many were unprepared to deal with.
The best methods for businesses and home users to stop Conficker at the source have been discussed in the past. The related articles below will offer more information.
The Tech Herald: Facts and information on the Conficker Worm
The Tech Herald: Do you use any of these passwords? Change them if you do
The Tech Herald: Microsoft dangles $250,000 carrot for capture of Conficker creator
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story