Crypto Virology Seminar.PPT - 123SeminarsOnly
Crypto Virology Seminar.PPT - 123SeminarsOnly
Crypto Virology Seminar.PPT - 123SeminarsOnly
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Binary Validation<br />
Compute a 512 512‐bit bit hash M of the windows binary<br />
Binary is then encrypted using the symmetric<br />
stream cipher RC4 algorithm with password MM.<br />
Digital signature is computed using an RSA<br />
encryption scheme.<br />
M^epriv mod N = Sig<br />
N is a public modulus that is embedded in all Conficker<br />
client binaries. binaries<br />
Sig is then appended to the encrypted binary, and<br />
together they can be pushed to all infected Conficker<br />
clients<br />
Binary Validation<br />
The client recovers M from the signature using N<br />
and the public exponent epub, which is<br />
embedded in the Conficker client binary. y<br />
M = Sig^epub mod N.<br />
Client then decrypts the binary using password<br />
M, and confirms its integrity by comparing its<br />
hash to M<br />
HHash hi integrity t it check h ksucceeds d<br />
the binary is then stored and executed via Windows<br />
shellexec()<br />
Otherwise the binary is discarded<br />
33 34<br />
35<br />
Defenses against Conficker<br />
Eff Efforts are on to stop the h worm<br />
Conficker cabal<br />
CConficker fi k C and d D ddownloads l d dil daily ffrom any 500 of f<br />
50000 pseudorandom domains over 110 TLDs<br />
Conficker D uses custom protocol to scan for infected<br />
peers via UDP, then transfer via TCP<br />
ICANN has sought preemptive barring of domain<br />
transfers and registrations from all TLD registries<br />
affected by the worm's domain generator.<br />
Tools available for removal of the virus virus.<br />
36