(no subject)

		call	InternetGetConnectedState
		test	eax, eax
		jz	short loc_9A3C5C
		lea	eax, [ebp+12Ch+SystemTime]
		push	eax		; lpSystemTime
		call	ebx ; GetLocalTime
		cmp	[ebp+12Ch+SystemTime.wYear], 7D9h
		ja	short loc_9A3C37
		jnz	short loc_9A3C4D
		cmp	[ebp+12Ch+SystemTime.wMonth], 4
		ja	short loc_9A3C37
		jnz	short loc_9A3C4D
		cmp	[ebp+12Ch+SystemTime.wDay], 1
		jb	short loc_9A3C4D

The above sequence of code has been the bane of my existence this week. It's the date check for April 1, 2009 from the Conficker.C worm. As with many other viruses in the past with a specific date that they do something, there is tremendous media hype surrounding this. So, I had not been analyzing this worm for the last few months, because everyone else had it covered, and I had other stuff to do, but now because of the media hype my company wants to have something published on it for marketing reasons. Since everyone else [see above] has published almost everything about it, there isn't much else for me to say. So I'm reversing the P2P protocol in Conficker.C, because it's the only part left… because it's the hardest part to understand. Anyway, I think I'll at least have figured out the IP address to UDP Port calculation soon, so I can write a scanner/Snort rule, for the P2P protocol. Anyway, don't interrupt me in the meantime…

(I was also going to write up a full analysis of the shellcode used in Conficker.A and Conficker.B, as no one else has really gone into detail there. (But the additional detail isn't really useful to know if you only care about detecting it. But I can describe who the authors copied most of their shellcode from (it's slightly modified MSF). Anyway, it'll be interesting to someone, but the P2P thing will get media attention.)

(Note: I'm not complaining. I'd much rather be reversing malware than working on what I was supposed to be doing this week.)

S	M	T	W	T	F	S
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

Most Popular Tags

anthrocon - 7 uses
baycon - 7 uses
belgium - 11 uses
berlin - 15 uses
bitching - 7 uses
brc - 14 uses
burning man - 35 uses
burning man 2007 - 10 uses
calendar - 19 uses
california - 17 uses
cat - 10 uses
ccc - 7 uses
concert - 9 uses
convention - 80 uses
d200 - 56 uses
d300 - 29 uses
d50 - 16 uses
d700 - 24 uses
dance - 8 uses
defcon - 7 uses
demoscene - 6 uses
doubletree - 9 uses
fc2007 - 9 uses
flower - 7 uses
furry - 34 uses
germany - 10 uses
goth - 6 uses
halloween - 8 uses
haxor - 58 uses
leuven - 9 uses
life - 7 uses
lj - 12 uses
me - 6 uses
meta - 7 uses
party - 69 uses
people - 6 uses
photo - 181 uses
pittsburgh - 7 uses
plans - 23 uses
poll - 9 uses
rave - 13 uses
san francisco - 27 uses
seattle - 8 uses
sick - 7 uses
toorcon - 9 uses
trans - 12 uses
travel plans - 20 uses
wedding - 6 uses
work - 13 uses
yuri - 9 uses

Threaded | Top-Level Comments Only

From:

two-pi-r.livejournal.com

~~Did it even do anything on Apr1? Obviously, sorting the wheat from the ~~bullshit~~chaff as regards news on this is a dicey proposition, given the day.~~

Oh. It just changes its domain name algorithm? How anticlimactic.

Edited Date: 2009-04-02 04:31 am (UTC)

databeast.livejournal.com

I've been doing much the same (working on rulesets to ID the P2P traffic with)

but I've been going on observational behaviour and sandbox'ing more than reversing, mainly cos this little bugger is a bit outta my league.

魔法少女プリティジューリャ

Mahō Shōjo Puriti Jurya

(no subject)

(no subject)

no subject

no subject

Profile

May 2023

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags