14. January 2011 15:45
Variant name: Win32/Rimecud.CFD (CA).
Alias: TR/Kazy.8043 (Avira), Win32.Palevo.BD (Sophos)
This time another suspicious file encountered with the name, jvxqnu.exe. This file was found in the folder: C:\Documents and Settings\User\. This variant also creates other executable files with a random number as a name. The one I found was with the name: 8309.exe which was in the folder C:\Documents and Settings.
Below is the captured WinPCap stream of this malware:
14. January 2011 05:22
Initially, when I read about the use of symmetric and asymmetric cryptography in Conficker worm, I didn’t realize the real risk. I already knew that modern malware use some type of encryption to prevent detection, but the use of algorithms like RSA and RC4 puzzled me. Not only that, the use of long 4096-bit keys made me even more uneasy.
How could a malware use such a sophisticated method for replication? I am not an authority in this area, but with whatever little I know, malware use techniques to shorten their code so that the malicious content could be easily injected into another file. Long code means sooner detection. Even if Conficker uses RSA for safe transmission, how it managed key-handling? Who possessed the secret key and how he remotely decrypts the malware code on a remote machine? Were the good guys able to decrypt the code? RSA 2048 & 4096-bit key is considered reasonably safe and if the good guys could decipher the code, does it mean there is a backdoor in the algorithm itself?
I was more concerned about the last question until Paul Duckin, of SOPHOS labs, answered my query. Below is the extract of his answer: