Fatma Bazargan’s blog

March 26, 2009, 8:31 pm
Filed under: Security
hmm.. i dont think it's that pretty!

hmm.. i dont think it's that pretty!

For a while the Conficker worm has just been such a nightmare for all. Now that everyone has been talking about the April 1st where a new variant of Conficker will be released, as a heads up folks it isn’t like a doomsday, it is just that before Conficker.A and B were polling 250 domains per day to download and run an update program, the new variant will poll 50,000 domains instead to do the same thing. The security researchers have also stated that the Conficker worm has been crafted by professionals as it is considered one of the first real world cases that uses MD6 hash algorithm.


As I have mentioned before about the SRI International’s writeup about confikcer now they have also released a new technical writeup about the Conficker.C analysis. Parts of the writeup explains the Peer-to-Peer functionality and the domain name generation pseudo-code for the Conficker.C:


“Among the key changes, Conficker C increases the number of daily domain names generated, from 250 to 50,000 potential Internet rendezvous points. Of these 50,000 domains, only 500 are queried, and unlike previous versions, they are queried only once per day. “


There is also a Sandbox result for running Conficker.C.


I’m sure you all may have tons of questions in regards to this worm, here you can find the April 1st Conficker questions and answers. (A MUST READ) Don’t forget to read about the peer-to-peer functionality as well.  


An F-Secure cleaning tool is available here.






Leave a Comment so far
Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: