Wednesday, February 18, 2009

SRI International: An Analysis of Conficker's Logic and Rendezvous Points

In this paper, we crack open the Conficker A and B binaries, and analyze many aspects of their internal logic. Some important aspects of this logic include its mechanisms for computing a daily list of new domains, a function that in both Conficker variants, laid dormant during their early propagation stages until November 26 and January 1, respectively. Conficker drones use these daily computed domain names to seek out Internet rendezvous points that may be established by the malware authors whenever they wish to census their drones or upload new binary payloads to them. This binary update service essentially replaces the classic command and control functions that allow botnets to operate as a collective. It also provides us with a unique means to measure the prevalence and impact of Conficker A and B. The contributions of this paper include the following:
  • * A static analysis of Conficker A and B. We dissect its top level control flow, capabilities, and timers
  • * A description of the domain generation algorithm and the rendezvous protocol
  • * An empirical analysis of infected hosts observed through rendezvous points
  • * Exploration of Conficker's Ukranian evidence trail

No comments:

Post a Comment