New analysis of Conficker finds peer-to-peer coding less sophisticated and not likely coded by the same developers who coded the other major components of Conficker.
Researchers at SRI International have conducted additional research on Conficker C and determined that a peer-to-peer (P2P) module was not likely coded by the original programmers of the worm.
From the latest SRI research:
The P2P module provides a limited peer command set, keeping complexity to a minimum – perhaps due to scheduling pressures and quality control concerns in deploying new functionality across millions of geographically dispersed victim machines.
The report is very technical. Researchers reverse engineered the P2P protocol and provided the results of their findings. My takeaway is that the P2P protocol, though unsophisticated, has been an important part of how Conficker has been able to continue to infect and how those behind the worm have been able to bypass security filters to send out orders. SRI said the P2P coding conducts scan-based peer discovery across the Internet, looking for previous versions of Conficker to upgrade to the latest and greatest version.
The fact that security experts haven’t been able to stop the spread of orders via Conficker’s P2P algorithm enables Conficker to remain a threat, the SRI researchers said.
Unfortunately, unlike the binary delivery distributions over the DGA rendezvous points that were achieved by the Conficker Working Group , whitehats currently employ no equivalent capability to hinder binary distributions through Conficker’s peer network.