« New Conficker Variant? (WORM_DOWNAD.E)Old News That's Still New - Discussing Teredo Security Implications »

Excellent Conficker Analysis (All Currently Known Variants)

03/31/09

Permalink 11:23:37 pm, by Zach Brewer, 195 words
Categories: Cisco Security Agent, Malware Analysis

Excellent Conficker Analysis (All Currently Known Variants)

As everyone is well aware, conficker worm variants have been exploiting MS-08-067 since November 2008 (possibly earlier). Conficker continues to spread depite the fact that a patch has been out for this vulnerability since October of 2008. The latest "C" variant of Conficker is well written and includes protection against many security products and analysis tools. The following links contain useful information on the analysis and remediation of conficker worm variants.

For an excellent analysis of Conficker we recommend the following:
http://mtc.sri.com/Conficker/
http://mtc.sri.com/Conficker/addendumC/index.html

For remediation and scanning tools, please see:
http://www.dshield.org/diary.html?storyid=5860

For a list of some of the 50,000+ domain names used by Conficker C, please see:
http://www.annysoft.com/confi/Domains_Conficker.C.txt

It is also worth noting that the CSA 6.0 Dynamic Signature Generation feature protects and distributes RPC signatures dynamically based upon locally quarantined payloads. CSA Dynamic Signatures, in addition to built-in buffer overflow protection, should prevent conficker infections on CSA hosts running Cisco default rules in protect mode. We hope to have a detailed write-up on Dynamic Signature Generation and Conficker in the coming days.

Priveon, Inc.

Today's complex security and networking solutions require a great deal of knowledge to successfully support and operate. Priveon uses the field experience of its expert staff to develop and maintain a positive reinforcement loop between business practices and to provide the latest information to our customers. The information posted here is supported by Priveon subject-matter experts.

Search

XML Feeds

Archives