Author Topic: Conficker/Downadup news  (Read 28401 times)

0 Members and 1 Guest are viewing this topic.

March 07, 2009, 12:56:25 am
Reply #30

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

March 07, 2009, 08:37:09 pm
Reply #31

Serg

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 132
Conficker gets upgraded with defenses
http://www.theregister.co.uk/2009/03/07/conficker_upgrade/
Quote
The new component ups the ante by increasing the number of domains to 50,000 per day.

March 13, 2009, 04:58:54 pm
Reply #32

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
The Downadup Codex
Quote
How do you summarize the functionality of a threat like Downadup? It sounds like the sort of challenge taken up only by folks that can solve a Rubik’s Cube in 30 seconds or less. If someone asked me do so in a sentence, here’s how I’d do it:

https://forums2.symantec.com/t5/Malicious-Code/The-Downadup-Codex/ba-p/393279

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_downadup_codex_ed1.pdf
Ruining the bad guy's day

March 18, 2009, 11:27:33 am
Reply #33

Serg

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 132
from 4 march we see big decrease of kido activity on 445 port http://www.dshield.org/port.html?port=445. There was suspicion that some of kido cnc server is online and out of coalition block http://www.microsoft.com/Presspass/press/2009/feb09/02-12ConfickerPR.mspx?rss_fdn=Press%20Releases. We've checked and rechecked. Some of infected pc are updated. So that's true. Now we have 25!!! samples of new kido based malware. Good news - update is not a worm. Bad news - update has p2p crypto protocol. Symantec already write some thing about that https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Digs-in-Deeper/ba-p/393245 but that main point of this post is "The coalition doesn't work!!!". ...Crap... Idiots...

PS. New kido in ida
Code: [Select]
UPX0:10003D29                 cmp     [esp+1BCh+SystemTime.wYear], 2009
UPX0:10003D30                 ja      short loc_10003D46
UPX0:10003D32                 jnz     short loc_10003D5C
UPX0:10003D34                 cmp     [esp+1BCh+SystemTime.wMonth], 4
UPX0:10003D3A                 ja      short loc_10003D46
UPX0:10003D3C                 jnz     short loc_10003D5C
UPX0:10003D3E                 cmp     [esp+1BCh+SystemTime.wDay], 1
UPX0:10003D44                 jb      short loc_10003D5C
we have two weeks to make a solution...

March 20, 2009, 06:43:22 am
Reply #34

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

March 20, 2009, 09:19:26 pm
Reply #35

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

March 22, 2009, 04:17:51 pm
Reply #36

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

March 30, 2009, 02:31:17 pm
Reply #37

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

March 30, 2009, 03:15:23 pm
Reply #38

sowhat-x

  • Guest
Containing Conficker
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
Linked from Honeypot.org above...that's really cool work there...

March 30, 2009, 04:09:59 pm
Reply #39

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

March 31, 2009, 05:30:27 pm
Reply #40

sowhat-x

  • Guest

April 01, 2009, 05:56:50 am
Reply #41

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

April 02, 2009, 07:52:28 am
Reply #42

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

April 02, 2009, 09:59:41 pm
Reply #43

sowhat-x

  • Guest

April 02, 2009, 10:47:37 pm
Reply #44

sowhat-x

  • Guest