Crypto Virology Seminar.PPT - 123SeminarsOnly
Crypto Virology Seminar.PPT - 123SeminarsOnly
Crypto Virology Seminar.PPT - 123SeminarsOnly
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Initial Infection<br />
VVariants i AA, BB, C and d E exploit l i a vulnerability l bili iin<br />
the Server Service on Windows computers<br />
In the h source computer, the h worm runs an<br />
HTTP server on a port between 1024 and<br />
10000<br />
The target shellcode connects back to this<br />
HTTP server to t download d l da copy of f the th worm<br />
in DLL form, which it then attaches to a<br />
running service service.<br />
Armoring<br />
variant i A payloads l d are fi first SHA1 SHA1‐hashed h h dand d<br />
RC4‐encrypted with the 512‐bit hash as a key.<br />
The h hhash his then h RSA‐signed d with h a 1024‐bit b<br />
private key.<br />
Variant C uses MD6 for hashing the payload.<br />
To increase the RSA key to 4096 bits!!<br />
25<br />
27<br />
Payload Propagation<br />
Variant A generates a list of 250 domain names every day<br />
across five TLDs.<br />
Variant B increases the number of TLDs to eight<br />
has a generator tweaked to produce domain names disjoint from<br />
those of A.<br />
Variant D generates a daily pool of 50000 domains across<br />
110 TLDs, , from which it randomly y chooses 500 to attempt p<br />
for that day.<br />
Variant C creates a named pipe, over which it can push URLs<br />
for downloadable payloads to other infected hosts on a local<br />
area network.<br />
Variants D and E create an ad‐hoc peer‐to‐peer network to<br />
push and pull payloads over the wider Internet.<br />
Domain Name Generation<br />
CConficker fi k iimplements l t its it own random d<br />
number generator.<br />
Selectively chooses between its own function<br />
generate_random() and system rand()<br />
function.<br />
A top‐level domain (TLD) suffix chosen<br />
randomly between .com, .net, .org, .info, and<br />
.biz is then appended to the domain name.<br />
Conficker B includes additional TLD suffixes<br />
( (.ws, .cn, .cc). )<br />
26<br />
28