Crypto Virology Seminar.PPT - 123SeminarsOnly

Initial Infection
VVariants i AA, BB, C and d E exploit l i a vulnerability l bili iin
the Server Service on Windows computers
In the h source computer, the h worm runs an
HTTP server on a port between 1024 and
10000
The target shellcode connects back to this
HTTP server to t download d l da copy of f the th worm
in DLL form, which it then attaches to a
running service service.
Armoring
variant i A payloads l d are fi first SHA1 SHA1‐hashed h h dand d
RC4‐encrypted with the 512‐bit hash as a key.
The h hhash his then h RSA‐signed d with h a 1024‐bit b
private key.
Variant C uses MD6 for hashing the payload.
To increase the RSA key to 4096 bits!!
25
27
Payload Propagation
Variant A generates a list of 250 domain names every day
across five TLDs.
Variant B increases the number of TLDs to eight
has a generator tweaked to produce domain names disjoint from
those of A.
Variant D generates a daily pool of 50000 domains across
110 TLDs, , from which it randomly y chooses 500 to attempt p
for that day.
Variant C creates a named pipe, over which it can push URLs
for downloadable payloads to other infected hosts on a local
area network.
Variants D and E create an ad‐hoc peer‐to‐peer network to
push and pull payloads over the wider Internet.
Domain Name Generation
CConficker fi k iimplements l t its it own random d
number generator.
Selectively chooses between its own function
generate_random() and system rand()
function.
A top‐level domain (TLD) suffix chosen
randomly between .com, .net, .org, .info, and
.biz is then appended to the domain name.
Conficker B includes additional TLD suffixes
( (.ws, .cn, .cc). )
26
28