Getting More Information About Conficker
With the reported detection of Conficker B++ in the last week, there is now developing a difference in how antimalware companies are detecting and reporting this particular variant. Despite the almost complete widespread adoption of B++ as the identifier, Microsoft have commenced detecting and reporting the variant as Conficker.C, as reported via the Microsoft Malware Protection Centre.
One of the best writeups on the current version has been done by the SRI team and can be found here. Out of the analysis, it is interesting to note that while 11.4 million systems may have been affected by Conficker in it's A or B variant, somewhat less than 4 million systems are actively infected. This is still a sizable botnet, but it is a much smaller figure than is normally passed around.
One of the first interesting items raised in the SRI analysis is the initial similarities between B and B++ variants, with the binaries appearing very similar, down to sharing the same domain generation code and 86.4% similarity score between the two versions.
From here, though, the new capabilities add another layer of problems for those trying to detect and stop the worm. Probably the biggest problem is the improved infection methods introduced by B++, including "using methods that are not detected by the latest anti-Conficker security applications.". With this version the Conficker authors can announce the availability of new exploit code for system infection or other purpose, which the infected systems will reach out and download from the identified source, validate the decrypted code to ensure it has been signed by the Conficker authors and then executed it.
This is a little different from the preceding versions, which relied upon polling specific sets of URLs that had been generated from the randomisation code within the worm. Since the antimalware companies had been able to reverse engineer this domain generation code, it was getting harder and harder for the Conficker authors to register domains that infected systems would poll and it was also leading to increased risk of discovery.
As to the geographic and Internet spread of the worm, the SRI analysis shows that the infections are clustered around a few IP networks and that there isn't a whole lot of difference between the A and B variants in that distribution. The Chinese and Brazilians clearly have the most numbers of infected systems, with China alone accounting for a quarter of all detected infections.
SRI believe that there are some clues as to the location of Conficker's authors, with Conficker.B connections noticed three days before the worm was actually detected in the wild. These seemingly spurious connections point to the Ukraine and to Argentina. The Ukrainian link is considered an interesting one, given the actions of Conficker.A to avoid infecting Ukrainian systems and the dissemination of the Antivirus XP malware from Baka Software with Conficker.A during December 2008.
With the move of B++ to make it harder to disrupt infection updates and taking infected systems to a quieter normal state, it is going to be difficult to track the number of systems affected by this new variant, as well as to track the worm's evolution from this point. Microsoft's $250,000 reward looks like it is going to remain unclaimed for the near future, at least.
24 February 2009
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.