New Conficker Variant Increases Its Flexibility

← Back to Stories (view on slashdot.org)

New Conficker Variant Increases Its Flexibility

Posted by Soulskill on Friday February 20, 2009 @11:58AM from the those-yoga-classes-really-helped dept.

CWmike writes "Criminals behind the widespread Conficker worm have released a new version that could signal a major shift in the way the malware operates. The new variant, dubbed Conficker B++, was spotted three days ago by SRI International researchers, who published details of the new code on Thursday. To the untrained eye, the new variant looks almost identical to the previous version of the worm, Conficker B. But the B++ variant uses new techniques to download software, giving its creators more flexibility in what they can do with infected machines."

11 of 120 comments (clear)

Min score:

Reason:

Sort:

The Botnet National Anthem by Chris+Tucker · 2009-02-20 12:04 · Score: 5, Funny

Botnets, worldwide botnets.
What kind of boxes are on botnets?
Compaq, HP, Dell and Sony, TRUE!
Gateway, Packard Bell, maybe even Asus, too.
Are boxes, found on botnets.
All running Windows, FOO!

--
Guaranteed! This comment 100% Anthrax free!
1. Re:The Botnet National Anthem by wisty · 2009-02-20 21:26 · Score: 5, Funny
  
  YOU HAVE RECEIVED THE UNIX VIRUS! This virus works on the honor system. Please randomly delete some of your files and forward this to everyone you know.
This is slashdot right? by blool · 2009-02-20 12:05 · Score: 4, Interesting

Why is the summary so devoid of technical detail? You realize we don't read the articles right?
1. Re:This is slashdot right? by Psychotria · 2009-02-20 12:18 · Score: 4, Informative
  
  Because the article doesn't have any technical detail either.
  Well, the second linked-to article (the one by SRI) is chock full of technical details; and it's an interesting read.
2. Re:This is slashdot right? by grizdog · 2009-02-20 12:21 · Score: 4, Funny
  
  Because the article doesn't have any technical detail either. I would assume that the new features allow them to connect through some sort of peering mechanism, but the article doesn't go into detail.
  Well, I thought there was some useful detail in the article, particularly this:
  
  Overall, the modifications to Conficker B++ appear relatively minor as compared to the significant upgrade in functionality, performance, and reliability, that occurred from Conficker A to B. These smaller and more surgical changes to B appear to address some of the realities that are currently impacting Conficker's binary update strategy. In particular, in Conficker A and B, there appeared only one method to submit Win32 binaries to the digitial signature validation path, and ultimately to the CreateProcess API call. This path required the use of the Internet rendezvous point to download the binary through an HTTP transaction. Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker's authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach.
  However, Conficker A and B did support through the previous netapi32.dll patch an ability to accept new DLLs, as long as the shell code submitted through the RPC buffer overflow matched the original Conficker infection shell code. This approach was limiting both in the requirement that direct flashing required an easily identifiable shellcode string and a single DLL method loading procedure, both of which are now subject to detection by security software. Conficker B++ dramatically increases the flexibilty of the direct flash mechanisms, offering an ability to load digitally signed Win32 executables directly to a Conficker host.
3. Re:This is slashdot right? by MichaelSmith · 2009-02-20 12:29 · Score: 5, Funny
  
  Cripes with all the reliance they are placing on windows internals they will never get this thing ported to *nix. Its almost as bad as autocad.
  
  --
  http://michaelsmith.id.au
4. Re:This is slashdot right? by InsertWittyNameHere · 2009-02-20 12:33 · Score: 5, Informative
  
  In short bot herders can now push updates to infected machines rather than relying on the infected machine to seek out and download updates.
  Some quotes:
  "a more efficient push-based updating service"
  "the ability to accept and validate remotely submitted URLs and Win32 binaries, could signal a significant shift in the strategies used by Conficker's authors to upload and interact with their drones."
  "comparing Conficker B with Conficker B++, we obtained a similarity score of 86.4%. "
  "out of 297 subroutines in Conficker B, only 3 were modified in Conficker B++ and around 39 new subroutines were added. "
  "Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker's authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach."
  "Conficker B++ dramatically increases the flexibilty of the direct flash mechanisms, offering an ability to load digitally signed Win32 executables directly to a Conficker host. "
5. Re:This is slashdot right? by Narnie · 2009-02-20 15:39 · Score: 5, Funny
  
  Microsoft should hire these guys to revamp Windows Update.
  
  --
  greed@All_Evils:~#
Re:Meep Beep! by HTH+NE1 · 2009-02-20 12:32 · Score: 4, Insightful

Poor little Conficker never bothers anyone,
Just runnin' down the road's his idea of having fun.
And still true: it still hasn't done anything more than spread and try to keep itself from being purged.
With all the suspense and the scale of infection, whatever the payload is going to be, it'd better be something totally awesome!

--
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Re:This is you on windows by Chris+Tucker · 2009-02-20 12:50 · Score: 4, Insightful

And they keep coming back to Windows.
"Oh, I KNOW Windows loves me. All the abuse is my fault. I deserve it!"

--
Guaranteed! This comment 100% Anthrax free!
Re:Meep Beep! by v1 · 2009-02-20 13:10 · Score: 4, Interesting

I know this is a very unpopular view with a lot of people, but I'd personally like to see a major worm like this pop a msg saying your computer has been taken over and is available to be used to harm others. you need to take your computer into the repair shop and get it cleaned up and protective software installed".
And then make windows unable to do anything but display that message when it boots.
Half the population would be picking up pitchforks, and the other half would be saying THANK you!
I for one am sick and tired of ignorant computer users getting their machines botnetted, blissfully unaware of the harm they are then contributing to. (and many of them are aware and just plain don't care)
Do the world a favor. MAKE them care.

--
I work for the Department of Redundancy Department.