Conficker/Downadup news

[SysAdMini]

W32.Downadup.C Digs in Deeper
https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Digs-in-Deeper/ba-p/393245#A249

[Serg]

Conficker gets upgraded with defenses
http://www.theregister.co.uk/2009/03/07/conficker_upgrade/

The new component ups the ante by increasing the number of domains to 50,000 per day.

[SysAdMini]

The Downadup Codex

How do you summarize the functionality of a threat like Downadup? It sounds like the sort of challenge taken up only by folks that can solve a Rubik’s Cube in 30 seconds or less. If someone asked me do so in a sentence, here’s how I’d do it:

https://forums2.symantec.com/t5/Malicious-Code/The-Downadup-Codex/ba-p/393279

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_downadup_codex_ed1.pdf

[Serg]

from 4 march we see big decrease of kido activity on 445 port http://www.dshield.org/port.html?port=445. There was suspicion that some of kido cnc server is online and out of coalition block http://www.microsoft.com/Presspass/press/2009/feb09/02-12ConfickerPR.mspx?rss_fdn=Press%20Releases. We've checked and rechecked. Some of infected pc are updated. So that's true. Now we have 25!!! samples of new kido based malware. Good news - update is not a worm. Bad news - update has p2p crypto protocol. Symantec already write some thing about that https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Digs-in-Deeper/ba-p/393245 but that main point of this post is "The coalition doesn't work!!!". ...Crap... Idiots...

PS. New kido in ida

Code: [Select]

UPX0:10003D29                 cmp     [esp+1BCh+SystemTime.wYear], 2009
UPX0:10003D30                 ja      short loc_10003D46
UPX0:10003D32                 jnz     short loc_10003D5C
UPX0:10003D34                 cmp     [esp+1BCh+SystemTime.wMonth], 4
UPX0:10003D3A                 ja      short loc_10003D46
UPX0:10003D3C                 jnz     short loc_10003D5C
UPX0:10003D3E                 cmp     [esp+1BCh+SystemTime.wDay], 1
UPX0:10003D44                 jb      short loc_10003D5C
we have two weeks to make a solution...

[SysAdMini]

Conficker.C Analysis
http://mtc.sri.com/Conficker/addendumC/

[SysAdMini]

W32.Downadup.C Bolsters P2P
https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Bolsters-P2P/ba-p/393331

[SysAdMini]

Conficker Removal Tools urls
http://isc.sans.org/diary.html?storyid=5860

[SysAdMini]

Detecting Conficker
http://honeynet.org/node/388

[sowhat-x]

Containing Conficker
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
Linked from Honeypot.org above...that's really cool work there...

[SysAdMini]

Detecting Conficker
http://honeynet.org/node/388

Win32 version of the tool. No need to install python ... manually.

http://www.bsk-consulting.de/download/scs-win.zip

[sowhat-x]

Conficker Working Group Wiki
http://confickerworkinggroup.net/wiki/

[SysAdMini]

Restore Access to Blocked Sites on Conficked Systems
http://countermeasures.trendmicro.eu/restore-access-to-blocked-sites-on-conficked-systems/

[SysAdMini]

Conficker World Maps
http://www.f-secure.com/weblog/archives/00001646.html

[sowhat-x]

The art of unpacking Conficker worm
http://blog.fortinet.com/the-art-of-unpacking-conficker-worm/

[sowhat-x]

Both Nmap and Nessus have been updated in the meanwhile in order to avoid false positives...
http://nmap.org/changelog.html
http://blog.tenablesecurity.com/2009/04/updated-conficker-detection-plugin-released.html