Sunday, April 26, 2009

conficker.e analysis (.exe component) - part 0.6 - commands smart analysis

On test system, where were dissected conficker.e, are been identified three handled commands which follow this syntax reported in previous post. Specifically:

get /vulubmqa http/
get /npms http/
get /wvmvcnrb http/

Each random string change after a random (maybe) time, so it's very difficult follow the behaviour. A good choice may be change at runtime the timer with a slow time for a better dissecting. The following screenshot shown the code zone where they was seen.. just "created" by the worm.

During the test, it was seen that one command generate a png image content http response while another one generate a binary stream http response. A better investigation is progress. If possible will be published raw data provided by conficker.e as http response.

No comments:

Post a Comment