(no subject)
Apr. 1st, 2009 08:55 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
foxgrrl call InternetGetConnectedState
test eax, eax
jz short loc_9A3C5C
lea eax, [ebp+12Ch+SystemTime]
push eax ; lpSystemTime
call ebx ; GetLocalTime
cmp [ebp+12Ch+SystemTime.wYear], 7D9h
ja short loc_9A3C37
jnz short loc_9A3C4D
cmp [ebp+12Ch+SystemTime.wMonth], 4
ja short loc_9A3C37
jnz short loc_9A3C4D
cmp [ebp+12Ch+SystemTime.wDay], 1
jb short loc_9A3C4DThe above sequence of code has been the bane of my existence this week. It's the date check for April 1, 2009 from the Conficker.C worm. As with many other viruses in the past with a specific date that they do something, there is tremendous media hype surrounding this. So, I had not been analyzing this worm for the last few months, because everyone else had it covered, and I had other stuff to do, but now because of the media hype my company wants to have something published on it for marketing reasons. Since everyone else [see above] has published almost everything about it, there isn't much else for me to say. So I'm reversing the P2P protocol in Conficker.C, because it's the only part left… because it's the hardest part to understand. Anyway, I think I'll at least have figured out the IP address to UDP Port calculation soon, so I can write a scanner/Snort rule, for the P2P protocol. Anyway, don't interrupt me in the meantime…
(I was also going to write up a full analysis of the shellcode used in Conficker.A and Conficker.B, as no one else has really gone into detail there. (But the additional detail isn't really useful to know if you only care about detecting it. But I can describe who the authors copied most of their shellcode from (it's slightly modified MSF). Anyway, it'll be interesting to someone, but the P2P thing will get media attention.)
(Note: I'm not complaining. I'd much rather be reversing malware than working on what I was supposed to be doing this week.)
