Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Addendum to SRI's Conficker C Analysis Published - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Addendum to SRI's Conficker C Analysis Published

SRI recently updated their Conficker C analysis with another addendum, this one covers Conficker C's P2P protocol and implementation.  Here's the abstract of the new addendum:

This report presents a reverse engineering of the obfuscated binary code image of the Conficker C peer-to-peer (P2P) service, captured on 5 March 2009 (UTC). The P2P service implements the functions necessary to bootstrap an infected host into the Conficker P2P network through scan-based peer discovery, and allows peers to share and spawn new binary logic directly into the currently running Conficker C process. Conficker's P2P logic and implementation are dissected and presented in source code form. The report documents its thread architecture, presents the P2P message structure and exchange protocol, and describes the major functional elements of this module.

As always, this is a GREAT report from the Malware Threat Center at SRI. 

Marcus H. Sachs
Director, SANS Internet Storm Center


301 Posts
ISC Handler
Sep 23rd 2009

Sign Up for Free or Log In to start participating in the conversation!