IRohitable | January 2011

Another variant of Rimecud in the wild.

by Rohit 14. January 2011 15:45

Variant name: Win32/Rimecud.CFD (CA).

Alias: TR/Kazy.8043 (Avira), Win32.Palevo.BD (Sophos)

This time another suspicious file encountered with the name, jvxqnu.exe. This file was found in the folder: C:\Documents and Settings\User\. This variant also creates other executable files with a random number as a name. The one I found was with the name: 8309.exe which was in the folder C:\Documents and Settings.

Below is the captured WinPCap stream of this malware:

More...

Tags: , , ,

Security | Technology

Was RSA or RC4 broken to decipher Conficker?

by Rohit 14. January 2011 05:22

Initially, when I read about the use of symmetric and asymmetric cryptography in Conficker worm, I didn’t realize the real risk. I already knew that modern malware use some type of encryption to prevent detection, but the use of algorithms like RSA and RC4 puzzled me. Not only that, the use of long 4096-bit keys made me even more uneasy.

How could a malware use such a sophisticated method for replication? I am not an authority in this area, but with whatever little I know, malware use techniques to shorten their code so that the malicious content could be easily injected into another file. Long code means sooner detection. Even if Conficker uses RSA for safe transmission, how it managed key-handling? Who possessed the secret key and how he remotely decrypts the malware code on a remote machine? Were the good guys able to decrypt the code? RSA 2048 & 4096-bit key is considered reasonably safe and if the good guys could decipher the code, does it mean there is a backdoor in the algorithm itself?

I was more concerned about the last question until Paul Duckin, of SOPHOS labs, answered my query. Below is the extract of his answer:

 More...

Tags: , , , , , ,

Blog | Security

About Rohit Prakash

Software Craftsman and Technology Enthusiast (not a Guru).

Technical Reviewer of a book on open-source programming IDE.

My day job keeps me engaged with Microsoft Technologies (ASP.NET, C# and SQL Server) hence most of the posts are related to these technologies. I, however, love to play with other open-source technologies. I also have interest in IT Security and therefore you will find posts on Malware Analysis, Cryptography and Anti-Virus programs.

Few people have contacted me for Guest Posts. You will find these posts as well.

 

You can reach me at:

rohit [at] irohitable.com

-----------------------------------------

LinkedIn:

in.linkedin.com/in/rohitpkhare

Twitter:

@BuzzRohit

-----------------------------------------
Google+

Search with this name: Rohit Prakash

Month List

Protected by Copyscape Web Plagiarism Software