Priveon Labs Security Blog

Conficker authors have shown adaptability in using and changing the many types of encryption and hashing algorithms used by Conficker including:

- SHA-1 (Conficker A/B - replaced by MD6 in C)
- 4096-bit RSA key (C and later)
- RC4
- MD6

At a high level, the encryption process used by Conficker C and later is as follows:

1) Compute the MD6 hash of a distributed binary
2) Encrypt the binary using RC4 and a password
3) Generate a digital signature using RSA and a public modulus embedded in the Conficker code
4) Append the digital signature to the encrypted binary and distribute the binary to other Conficker nodes which then verify the binary using the reverse process and embedded keys

The use of the MD6 hashing algorithm is particularly interesting. MD6 had only been out for a few weeks when Conficker began using it for hashing. After Conficker B began using MD6, a buffer overflow was discovered in the MD6 algorithm. Soon after, variant D began using the fixed release of MD6 proving once again the authors' capacity to quickly update Conficker.

These security algorithms aren't simply used to keep the good guys from studying and stopping Conficker. It's not uncommon for malware authors take over one another's P2P networks to use in distributing spam or other nefarious activities. So encryption and hashing algorithms used by Conficker also ensure that the original authors keep control of the network. Since the primary reason for most modern P2P malware networks is illicit activities that make money, losing control of a network equates to millions in potential lost (illegal) revenue.