Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Worms Networking Security News

New Conficker Variant Increases Its Flexibility 120

Posted by Soulskill from the those-yoga-classes-really-helped dept.
CWmike writes "Criminals behind the widespread Conficker worm have released a new version that could signal a major shift in the way the malware operates. The new variant, dubbed Conficker B++, was spotted three days ago by SRI International researchers, who published details of the new code on Thursday. To the untrained eye, the new variant looks almost identical to the previous version of the worm, Conficker B. But the B++ variant uses new techniques to download software, giving its creators more flexibility in what they can do with infected machines."
This discussion has been archived. No new comments can be posted.

New Conficker Variant Increases Its Flexibility More

New Conficker Variant Increases Its Flexibility

Comments Filter:

  • The Botnet National Anthem (Score:5, Funny)

    by Chris Tucker ( 302549 ) on Friday February 20, 2009 @08:04PM (#26936809) Homepage

    Botnets, worldwide botnets.
    What kind of boxes are on botnets?

    Compaq, HP, Dell and Sony, TRUE!
    Gateway, Packard Bell, maybe even Asus, too.

    Are boxes, found on botnets.
    All running Windows, FOO!

  • Meep Beep! (Score:2, Funny)

    by djupedal ( 584558 ) on Friday February 20, 2009 @08:10PM (#26936869)

    If you're on the highway and Conficker goes beep beep.
    Just step aside or might end up in a heap.
    Conficker, Conficker runs on the road all day.
    Even the coyote can't make him change his ways.

    Conficker, the coyote's after you.
    Conficker, if he catches you you're through.
    Conficker, the coyote's after you.
    Conficker, if he catches you you're through.

    That coyote is really a crazy clown,
    When will he learn he can never mow him down?
    Poor little Conficker never bothers anyone,
    Just runnin' down the road's his idea of having fun.

  • Re:This is slashdot right? (Score:5, Funny)

    by grizdog ( 1224414 ) on Friday February 20, 2009 @08:21PM (#26936957) Homepage

    Because the article doesn't have any technical detail either. I would assume that the new features allow them to connect through some sort of peering mechanism, but the article doesn't go into detail.

    Well, I thought there was some useful detail in the article, particularly this:

    Overall, the modifications to Conficker B++ appear relatively minor as compared to the significant upgrade in functionality, performance, and reliability, that occurred from Conficker A to B. These smaller and more surgical changes to B appear to address some of the realities that are currently impacting Conficker's binary update strategy. In particular, in Conficker A and B, there appeared only one method to submit Win32 binaries to the digitial signature validation path, and ultimately to the CreateProcess API call. This path required the use of the Internet rendezvous point to download the binary through an HTTP transaction. Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker's authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach.

    However, Conficker A and B did support through the previous netapi32.dll patch an ability to accept new DLLs, as long as the shell code submitted through the RPC buffer overflow matched the original Conficker infection shell code. This approach was limiting both in the requirement that direct flashing required an easily identifiable shellcode string and a single DLL method loading procedure, both of which are now subject to detection by security software. Conficker B++ dramatically increases the flexibilty of the direct flash mechanisms, offering an ability to load digitally signed Win32 executables directly to a Conficker host.

  • Re:This is slashdot right? (Score:5, Funny)

    by MichaelSmith ( 789609 ) on Friday February 20, 2009 @08:29PM (#26937039) Homepage Journal
    Cripes with all the reliance they are placing on windows internals they will never get this thing ported to *nix. Its almost as bad as autocad.

  • Re:The Botnet National Anthem (Score:3, Funny)

    by Anonymous Coward on Friday February 20, 2009 @08:38PM (#26937111)

    If they run foo() then all operating systems are vulnerable!
    O.M.G!

  • Forget antivirus, go after them for copyright (Score:1, Funny)

    by Anonymous Coward on Friday February 20, 2009 @09:12PM (#26937379)

    You know, like the feds used to take down the Mafia on tax violations.

    http://sourceforge.net/projects/b-improved/ [sourceforge.net]

  • When I saw B++ (Score:3, Funny)

    by kkrajewski ( 1459331 ) on Friday February 20, 2009 @09:18PM (#26937415) Journal
    I was all excited that someone had made an OO extention to the B programming language [wikipedia.org]. We can only imagine the horror!

  • Re:Meep Beep! (Score:1, Funny)

    by Anonymous Coward on Friday February 20, 2009 @10:56PM (#26937973)

    With all the suspense and the scale of infection, whatever the payload is going to be, it'd better be something totally awesome!

    "The Rickroll To End All Rickrolls"

  • Re:This is slashdot right? (Score:5, Funny)

    by Narnie ( 1349029 ) on Friday February 20, 2009 @11:39PM (#26938241)
    Microsoft should hire these guys to revamp Windows Update.

  • Re:The Botnet National Anthem (Score:5, Funny)

    by wisty ( 1335733 ) on Saturday February 21, 2009 @05:26AM (#26939503)
    YOU HAVE RECEIVED THE UNIX VIRUS!

    This virus works on the honor system. Please
    randomly delete some of your files and forward
    this to everyone you know.

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close