Peaches Posted March 31, 2009 Report Share Posted March 31, 2009 31 March 2009, 11:54Conficker demystified Today, Felix Leder and Tillmann Werner of Bonn University are presenting the results of their analysis of the Conficker worm. In a paper in the Honeynet Project "Know Your Enemy" series, they not only describe the worm's modus operandi, but also provide a number of tools to immunise against the worm, detect its presence, and remove it cleanly. They have also discovered a problem in Conficker that apparently allows it to be directly attacked.If proof were still required that Conficker is not the work of beginners, Leder and Werner's analysis now provides it. For example, the worm contains a very intelligent self-updating method: it intercepts the vulnerable function calls for canonicalising a relative path (such as \a\..\b into \. If a function call arrives that attempts to exploit the security hole, then Conficker decodes the contained shellcode. Typically the shellcode tries to download the worm code, but if Conficker is already present it extracts the URL used for that purpose from the shellcode and loads a fresh version of the worm program itself.Heise security - http://www.h-online.com/security/Conficker...d--/news/112965>>>>>>>>>>>> Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.