Archive for Analysis Malware

50000 Domains per day —>>Updated Downadup/Conficker/kido

Posted in Uncategorized with tags , , , , , , on March 8, 2009 by ianstarkc

There is some news about new variant of downadup worm . In old variant it was generating 250 domains per day but in this variant it changed its algorithm and now it is calculating 50000 domains per day !!! . I confirmed this  through the code of  new variant . See hint :

66 81 7D 80 D9 07                       cmp     word ptr [ebp-80h], 7D9h ——>>Checking for Year  0x7D9 ==2009
77 12                                         ja      short loc_6A3C37
75 26                                         jnz     short loc_6A3C4D
66 83 7D 82 04                            cmp     word ptr [ebp-7Eh], 4 ———->> For Month  4 == ‘April’

77 09                                         ja      short loc_6A3C37

75 1D                                        jnz     short loc_6A3C4D
66 83 7D 86 01                            cmp     word ptr [ebp-7Ah], 1 ———–>>For Date  == 1   SO ( 01-04-2009)
72 16                                         jb      short loc_6A3C4D

83 7D 90 00                                cmp     dword ptr [ebp-70h], 0
74 09                                         jz      short loc_6A3C46

short loc_6A3C46:

E8 2F 49 00 00                          call    sub_6A857A

sub_6A857A:

68 94 08 00 00                          push    894h
68 00 00 25 20                          push    20250000h

—————

89 BD 60 FF FF FF                       mov     [ebp-0A0h], edi
81 FF 50 C3 00 00                       cmp     edi, 0C350h ———->>Domain Count     0xC350 == 50,000
0F 83 B9 00 00 00                      jnb     loc_6A86B0
6A 20                                       push    20h
6A 40                                       push    40h
8B 8D 5C FF FF FF                      mov     ecx, [ebp-0A4h]
8D 1C B9                                   lea     ebx, [ecx+edi*4]
89 03                                       mov     [ebx], eax
85 C0                                       test    eax, eax
0F 84 4E 02 00 00                       jz      loc_6A8862
E8 90 FE FF FF                           call    sub_6A84A9
50                                                         push    eax
I hope , i’ll post full algorithm/standalone compiled file. I also want to find out why this time it is having so much website strings like… See file  strings here.

rapidshare.com,      imageshack.us,    facebook.com,   w3.org,   ask.com ,   yahoo.com  ,   google.com  ,  baidu.com,

xiaonei.com , studiverzeichnis.com, alice.it , msn.com , ebay.com , zedo.com ,  tuenti.com, metroflog.com , conduit.com , ameba.jp , ning.com , imdb.com, Todnoklassniki.ru , fc2.com , mediafire.com , mapquest.com , sourceforge.net, google.com, ucoz.ru , xhamster.com,  pcpop.com, ameblo.jp , tinypic.com, livejasmin.com

tianya.cn, gougou.com, reference.com, wikimedia.org,ebay.co.uk, pornhub.com, imeem.com ,adultadworld.com
yahoo.com, naver.com , kooora.com, biglobe.ne.jp,   soso.com ,  answers.com ,mail.ru,xvideos.com,

foxnews.comespn.go.com,    thepiratebay.org,       aweber.com , geocities.com , megaporn.com , facebook.comyoutube.com,   pogo.com,   4shared.com,   linkedin.com , lickr.com,  wordpress.com, dell.com, aim.com, adobe.com,  verizon.net,   disney.go.com,   apple.com ,  adultfriendfinder.com,   nba.com, ..much more

-Avii

2 Comments »