In this paper we present a new approach for identifying the crypto routines in different types of malware. In traditional malware analysis, like sandboxing, network data is examined as seen on the wire or data is collected as it is written to a file. The use of proprietary binary formats, obfuscation, or encryption hides important details, which are necessary for investigating malicious behavior. It is hardly possible to create decryptors just from monitored sandbox data. Our approach not only examines the data when leaving or entering the malware but also correlates it with information from inside the malware. By monitoring the data at I/O interfaces as well as data dependencies our approach automatically reveals the data origin. Knowing the data origin enables an analyst to easily find the crypto functions. Using this approach, we were able to identify the encryption, decryption, and command parser in different malware samples each within minutes. In our evaluation, we present the results for the Kraken command&control protocol encryption and for the file encryption of the Srvcp trojan.
[1]
Felix C. Freiling,et al.
Toward Automated Dynamic Malware Analysis Using CWSandbox
,
2007,
IEEE Secur. Priv..
[2]
Somesh Jha,et al.
Semantics-aware malware detection
,
2005,
2005 IEEE Symposium on Security and Privacy (S&P'05).
[3]
Saumya K. Debray,et al.
Obfuscation of executable code to improve resistance to static disassembly
,
2003,
CCS '03.
[4]
Fabrice Bellard,et al.
QEMU, a Fast and Portable Dynamic Translator
,
2005,
USENIX ATC, FREENIX Track.
[5]
Peter Szor,et al.
The Art of Computer Virus Research and Defense
,
2005
.
[6]
Wenke Lee,et al.
PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware
,
2006,
2006 22nd Annual Computer Security Applications Conference (ACSAC'06).
[7]
U. Bayer,et al.
TTAnalyze: A Tool for Analyzing Malware
,
2006
.