A view on Conficker's inside

24 Apr 2009 Felix Leder conficker control-flow dependencies malware visualization

Many people have asked us, how Conficker looks like. That’s a tough question for something that’s hidden and tries to be as stealthy as possible. The last time somebody asked me: “Can you show me Conficker?”, I decided to visualize Conficker. Here is a little video that shows the evil core of Conficker.C.

The video is a 3D animation of the functions inside Conficker.C and their functional relationships. Yellow balls are functions found inside Conficker. Green loops are functions imported from Dlls and red boxes are jump holes into other functions. The video shows the way our tools analyze Conficker and the derivation of dependencies among the control flow graph.

The video can be downloaded from our Conficker-page: http://four.cs.uni-bonn.de/conficker or directly accessed via http://four.cs.uni-bonn.de/uploads/media/video.avi

Have fun :)

Tillmann & Felix