Automatic Detection and Analysis of Encrypted Messages in Malware

Encryption is increasingly used in network communications, especially by malicious software (malware) to hide its malicious activities and protect itself from being detected or analyzed. Understanding malware’s encryption schemes helps researchers better analyze its network protocol, and then derive the internal structure of the malware. However, current techniques of encrypted protocol analysis have a lot of limitations. For example, they usually require the encryption part being separated from message processing which is hardly satisfied in today’s malware, and they cannot provide detailed information about the encryption parameter such as the algorithm used and its secret key. Therefore, these techniques cannot fulfill the needs of today’s malware analysis.

[1]  Zhenkai Liang,et al.  Polyglot: automatic extraction of protocol message format using dynamic binary analysis , 2007, CCS '07.

[2]  Xin Li,et al.  CipherXRay: Exposing Cryptographic Operations and Transient Secrets from Monitored Binary Execution , 2014, IEEE Transactions on Dependable and Secure Computing.

[3]  Shuai Li,et al.  Facet: Streaming over Videoconferencing for Censorship Circumvention , 2014, WPES.

[4]  Li Guo,et al.  Inferring Protocol State Machine from Network Traces: A Probabilistic Approach , 2011, ACNS.

[5]  Jianying Zhou,et al.  Information and Communications Security , 2013, Lecture Notes in Computer Science.

[6]  Peng Ning,et al.  Computer Security - ESORICS 2009, 14th European Symposium on Research in Computer Security, Saint-Malo, France, September 21-23, 2009. Proceedings , 2009, ESORICS.

[7]  Xuxian Jiang,et al.  Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution , 2008, NDSS.

[8]  Christopher Krügel,et al.  Prospex: Protocol Specification Extraction , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[9]  Zhi Wang,et al.  ReFormat: Automatic Reverse Engineering of Encrypted Messages , 2009, ESORICS.

[10]  John A. Copeland,et al.  Framework for botnet emulation and analysis , 2009 .

[11]  Dawn Xiaodong Song,et al.  Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering , 2009, CCS.

[12]  Christian Rossow,et al.  ProVeX: Detecting Botnets with Encrypted Command and Control Channels , 2013, DIMVA.

[13]  Dawn Xiaodong Song,et al.  Inference and analysis of formal models of botnet command and control protocols , 2010, CCS '10.

[14]  Hui Liu,et al.  Detecting Encryption Functions via Process Emulation and IL-Based Program Analysis , 2012, ICICS.

[15]  Jean-Yves Marion,et al.  Aligot: cryptographic function identification in obfuscated binary programs , 2012, CCS.

[16]  Helen J. Wang,et al.  Tupni: automatic reverse engineering of input formats , 2008, CCS.

[17]  Juanru Li,et al.  Detection and Analysis of Cryptographic Data Inside Software , 2011, ISC.

[18]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[19]  Christopher Krügel,et al.  Automatic Network Protocol Analysis , 2008, NDSS.

[20]  Helen J. Wang,et al.  Discoverer: Automatic Protocol Reverse Engineering from Network Traces , 2007, USENIX Security Symposium.