Malware to Watch: Conficker C
The SRI report on Conficker C makes for some fascinating, and terrifying, reading. Conficker is a nasty chunk of malware has spread very widely on Windows XP machines. When it infects a machine, it sets up a sophisticated ring of defenses that prevent the user from removing it, then sits and monitors a set of outside websites looking for a digitially signed payload that contains a program that does.....something. Conficker has updated itself several times already (there is a Conficker A, B, B++, and C) and updated its ability to neutralize host-based and network based defenses. At the moment, it blocks all network access to Microsoft updates, Symantec, and a number of other security vendors. It prevents many anti-malware tools from running on the machine. It even patches a known network bug so that other viruses can't attack the machine.
I'm not a malware expert, but the thing in the SRI report that caught my eye is the level of cryptographic sophisticated exhibited by the author. It checks digital signatures on all updates and downloads, and encrypts chunks of its own code to evade analysis. Conficker uses the MD6 hashing algorithm, which is a brand new hashing technique developed by Ron Rivest as an entry in the NIST Advanced Hash Standard competition. Conficker had incorporated this new algorithm within weeks of its announcement, so the author has to be spending some serious time monitoring cryptographic research.
The malware folks have finally caught up to the design of Curious Yellow:
http://blanu.net/curious_yellow.html. We're nearing the point where every computer will be infected by bots and there won't be anything you can do about it.
Conficker fixes an issue with the Storm worm that was surprising when it was reverse engineered, which is that there's no authentication on the storm messages.
I'm still waiting for the day when removal of a bot member results in immediate DDoS reprisals by the other members.
Posted by: Rob Adams | Tuesday, 24 March 2009 at 02:38 PM