The Conficker worm has been wreaking havoc on the Internet for several months now, and despite the concerted efforts of dozens of security organizations around the world, it is showing no signs of fading. A new analysis of Conficker by SRI International shows that the worm’s authors have added further code obfuscation and other mechanisms to avoid analysis and removal.
“In addition to the dual layers of packing and encryption used to protect A and B from reverse engineering, this latest variant also cloaks its newest code segments, along with its latest functionality, under a significant layer of code obfuscation to further hinder binary analysis. Nevertheless, with a careful mixture of static and dynamic analysis, we attempt here to summarize the internal logic of Conficker C,” the report says.
Conficker.C is the third major release of the worm’s code and the SRI research team said that it appears that as much as 85 percent of the worm’s code was changed in the current version. That’s a good indication not only of the seriousness and efficiency of the worm’s authors, but also that the group is likely monitoring the efforts of security companies to get a handle on Conficker.
“It is clear that the Conficker authors are well informed and are tracking efforts to eliminate the previous Conficker epidemics at the host and Internet governance level. In Conficker C, they have now responded with many of their own countermeasures to thwart these latest defenses,” the SRI report says. “For example, C’s latest revision of Conficker’s now well-known Internet rendezvous logic may represent a direct retort to the action of the Conficker Cabal, which recently blocked all domain registrations associated with the A and B strains. C now selects its rendezvous points from a pool of over 50,000 randomly generated domain name candidates each day. C further increases Conficker’s top-level domain (TLD) spread from five TLDs in Conficker A, to eight TLDs in B, to 110 TLDs that must now be involved in coordination efforts to track and block C’s potential DNS queries. With this latest escalation in domain space manipulation, C not only represents a significant challenge to those hoping to track its census, but highlights some weaknesses in the long-term viability of how Internet address and name space governance is conducted.”
Security experts say that the group behind the creation of Conficker clearly includes some very capable developers with a good knowledge of countermeasures and techniques employed by security vendors and IT security teams. One malware expert told me that the Conficker authors are “very, very talented and know exactly what we’re trying to do to stop them. They’re one step ahead of us all the time so far.”
The result, the SRI authors say, is that “if organized into a coordinated offensive weapon, this multimillion-node botnet poses a serious and dire threat to the Internet.”