Marc Blanchard Virus Docteur

The campus antimalware is devided geographically.

The main reason is to study the behaviors of Conficker / Downadup on different DSLAMs.

I will be able to provide epidemiological researches and to capitalize on behaviors to employ a strong phenotype.

So, currently the campus is located in Paris region and the West of France region.

To capitalize on the Deming methods, both of campuses will work on the same samples to continue to have isomorphical results and homomorphicals reports.

For this I decided to use a real time tool called ntop that is able to publish in real time specific traffics.

These statistics will be published on this blog per campus.

These statistics will show also the activities in case of attacks.

All of this will be published on specific section on this blog : Follow Conficker activities in Real Time.

Soon, the same concept will be published on Paris region

Since the 5th, the behaviors of Conficker/Downadup seems to stabilize.

I'm under to prepare a new geographic lab located in the west of France and connected on a different DSLAM.

I also prepare a new architecture on another network with new plateforms : Seven 64 bits, Vista 64 bits, and XP 32 bits.

On the first plateform, i include Windows 2008 FS 64 bits and will run the samples.

So, i will let you know the main conficker modifications on all of the systems.

Stay Tuned

Following the push of the dll, I was waiting the order.... Here it is, the probe sent the order to the computer.

- The alarm is:

Robotization MAP on hybrid network has detected a suspicious activity :

Date : Mon-05-Oct-2009_23_47_41

Suspicious file : c:\windows\system32\Restore\MachineGuid.txt

This file is only a signature that do some order to the soldier computer:

Data dumped in file offset: 0x0 File format: txt

7b 00 41 00 31 00 34 00 30 00 37 00 32 00 39 00 ; 00000 { A 1 4 0 7 2 9

32 00 2d 00 44 00 37 00 39 00 45 00 2d 00 34 00 ; 00010 2 - D 7 9 E - 4

32 00 34 00 37 00 2d 00 39 00 42 00 36 00 46 00 ; 00020 2 4 7 - 9 B 6 F

2d 00 42 00 36 00 30 00 39 00 43 00 44 00 37 00 ; 00030 - B 6 0 9 C D 7

31 00 37 00 41 00 46 00 38 00 7d 00 00 00 ; 00040 1 7 A F 8 }

On one of the conficker networks that i pratice the research sent alarm :

- The alarm is :

Robotization MAP on hybrid network has detected a suspicious activity :

Date : Sat-03-Oct-2009_12_08_50

Suspicious file : c:\windows\system32\twndbpam.dll

It is detected as a generic confiker by AVs.

This file was pushed automatically by the worm.

Here is its entry point:

Entry point in file offset: 0x153f0 File format: PE executable (Win32)

80 7c 24 08 01 0f 85 c2 01 00 00 60 be 00 60 00 ; 00000

10 8d be 00 b0 ff ff 57 eb 10 90 90 90 90 90 90 ; 00010

8a 06 46 88 07 47 01 db 75 07 8b 1e 83 ee fc 11 ; 00020

db 72 ed b8 01 00 00 00 01 db 75 07 8b 1e 83 ee ; 00030

fc 11 db 11 c0 01 db 73 ef 75 09 8b 1e 83 ee fc ; 00040

11 db 73 e4 31 c9 83 e8 03 72 0d c1 e0 08 8a 06 ; 00050

46 83 f0 ff 74 74 89 c5 01 db 75 07 8b 1e 83 ee ; 00060

fc 11 db 11 c9 01 db 75 07 8b 1e 83 ee fc 11 db ; 00070

11 c9 75 20 41 01 db 75 07 8b 1e 83 ee fc 11 db ; 00080

11 c9 01 db 73 ef 75 09 8b 1e 83 ee fc 11 db 73 ; 00090

e4 83 c1 02 81 fd 00 f3 ff ff 83 d1 01 8d 14 2f ; 000a0

83 fd fc 76 0f 8a 02 42 88 07 47 49 75 f7 e9 63 ; 000b0

ff ff ff 90 8b 02 83 c2 04 89 07 83 c7 04 83 e9 ; 000c0

04 77 f1 01 cf e9 4c ff ff ff 5e 89 f7 b9 f6 00 ; 000d0

00 00 8a 07 47 2c e8 3c 01 77 f7 80 3f 00 75 f2 ; 000e0

8b 07 8a 5f 04 66 c1 e8 08 c1 c0 10 86 c4 29 f8 ; 000f0