Microsoft has been hot to extinguish the potentially devastating worm known as Conficker. After posting a $250k bounty and assembling a cabal of security researchers, the merry band of nerds set out to block the code before it rocked the net. Unfortunately for our friendly fellowship, the new variant of Conficker can automatically retrieve and execute code without using the mechanism that researchers have been feverishly working to block.
In Conficker A and B, there appeared only one method to submit Win32 binaries to the digital signature validation path, and ultimately to the CreateProcess API call. This path required the use of the Internet rendezvous point to download the binary through an HTTP transaction.
Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker’s authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach.
Oops.
Articles RSS