Tuesday, February 24, 2009

Conficker analysis

SRI International's Malware Threat Center recently published a technical report titled An Analysis of Conficker's Logic and Rendezvous Points. In the report, its authors Phillip Porras, Hassen Saidi, and Vinod Yegneswaran, do an excellent job at analyzing the different Conficker variants.

Conficker targets an array of attack vectors: some are network-based and some are based on users sharing portable media. The authors of the report pose a good question: why has Conficker been able to proliferate so widely? As they point out, one possible solution may be the stubbornness of some PC users to avoid
staying current with the latest Microsoft security patches.

Other explanations may be that coporate networks are often slow to deploy patches-- even those marked critical. It is highly possible that in an intial vulnerability assessement, security teams may have decided that the network-based vector is only exploitable when users activate file- and printer sharing, and assigned the patch roll-out a lower priority. By now, I hope that most (if not all) security professionals are aware of the effectiveness and widely-spread nature of Conficker in all its variants.

However, whatever the reason may be that Conficker was so effective in spreading on a large scale, the fact of the matter is that is did. The authors of the report proceed to disect the binary payload of the worm and describe its inner workings. For anyone who is interested in large-scale malware distrubution, this paper is a must-read.



No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.