A Methodology for Retrieving Information from Malware Encrypted Output Files: Brazilian Case Studies

This article presents and explains a methodology based on cryptanalytic and reverse engineering techniques that can be employed to quickly recover information from encrypted files generated by malware. The objective of the methodology is to minimize the effort with static and dynamic analysis, by using cryptanalysis and related knowledge as much as possible. In order to illustrate how it works, we present three case studies, taken from a big Brazilian company that was victimized by directed attacks focused on stealing information from a special purpose hardware they use in their environment.

[1]  Charles Ashbacher Microsoft Visual Basic 6.0 Pro , 1999 .

[2]  Jennifer Seberry,et al.  LOKI - A Cryptographic Primitive for Authentication and Secrecy Applications , 1990, AUSCRYPT.

[3]  Marc Stevens,et al.  Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities , 2007, EUROCRYPT.

[4]  Dawn Xiaodong Song,et al.  Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering , 2009, CCS.

[5]  Christophe De Cannière,et al.  KATAN and KTANTAN - A Family of Small and Efficient Hardware-Oriented Block Ciphers , 2009, CHES.

[6]  Andrew Honig,et al.  Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software , 2012 .

[7]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[8]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[9]  Adi Shamir,et al.  Playing "Hide and Seek" with Stored Keys , 1999, Financial Cryptography.

[10]  Joe Kilian,et al.  How to Protect DES Against Exhaustive Key Search (an Analysis of DESX) , 2015, Journal of Cryptology.

[11]  Shoji Miyaguchi,et al.  Fast Data Encipherment Algorithm FEAL , 1987, EUROCRYPT.

[12]  Carsten Willems,et al.  Automated Identification of Cryptographic Primitives in Binary Programs , 2011, RAID.

[13]  Elaine B. Barker,et al.  Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher , 2004 .

[14]  Bruce Schneier,et al.  Description of a New Variable-Length Key, 64-bit Block Cipher (Blowfish) , 1993, FSE.

[15]  Dawn Xiaodong Song,et al.  Insights from the Inside: A View of Botnet Management from Infiltration , 2010, LEET.

[16]  Felix C. Freiling,et al.  Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm , 2008, LEET.

[17]  P. Kiberstis Playing Hide and Seek , 2014, Science Signaling.

[18]  Eldad Eilam,et al.  Reversing: Secrets of Reverse Engineering , 2005 .

[19]  James L. Massey,et al.  SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm , 1993, FSE.

[20]  Zhi Wang,et al.  ReFormat: Automatic Reverse Engineering of Encrypted Messages , 2009, ESORICS.

[21]  Ronald L. Rivest,et al.  The RC5 Encryption Algorithm , 1994, FSE.

[22]  Elaine B. Barker,et al.  SP 800-67 Rev. 1. Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher , 2004 .

[23]  Jean-Yves Marion,et al.  Aligot: cryptographic function identification in obfuscated binary programs , 2012, CCS.

[24]  Xuejia Lai,et al.  A Proposal for a New Block Encryption Standard , 1991, EUROCRYPT.

[25]  Bai En A One-Way Hashing Algorithm with Variable Length of Output , 2004 .

[26]  Mitsuru Matsui,et al.  Speci cation of Camellia | a 128-bit Block Cipher , 2001 .

[27]  Jennifer Seberry,et al.  HAVAL - A One-Way Hashing Algorithm with Variable Length of Output , 1992, AUSCRYPT.