Last Updated: 2009-09-23 01:24:17 UTC
by Marcus Sachs (Version: 1)
This report presents a reverse engineering of the obfuscated binary code image of the Conficker C peer-to-peer (P2P) service, captured on 5 March 2009 (UTC). The P2P service implements the functions necessary to bootstrap an infected host into the Conficker P2P network through scan-based peer discovery, and allows peers to share and spawn new binary logic directly into the currently running Conficker C process. Conficker's P2P logic and implementation are dissected and presented in source code form. The report documents its thread architecture, presents the P2P message structure and exchange protocol, and describes the major functional elements of this module.
As always, this is a GREAT report from the Malware Threat Center at SRI.
Marcus H. Sachs
Director, SANS Internet Storm Center