Malwares are becoming increasingly stealthy,
more and more malwares are using cryptographic algorithms (e.g., packing,
encrypting C& C communication) to protect themselves from being
analyzed. The use of cryptographic algorithms and truly transient cryptographic
secrets inside the malware binary imposes a key obstacle to effective malware
analysis and defense. To enable more effective malware analysis, forensics, and
reverse engineering, we have developed Cipher X-ray a novel binary analysis
framework that can automatically identify and recover the cryptographic
operations and transient secrets from the execution of potentially obfuscated
binary executables. Based on the avalanche effect of cryptographic functions,
Cipher X-ray is able to accurately pinpoint the boundary of cryptographic
operation and recover truly transient cryptographic secrets that only exist in
memory for one instant in between multiple nested cryptographic operations.
Cipher X-ray can further identify certain operation modes (e.g., ECB, CBC, CFB)
of the identified block cipher and tell whether the identified block cipher
operation is encryption or decryption in certain cases. We have empirically
validated Cipher X-ray with Open SSL, popular password safe KeePassX, the
ciphers used by malware Stunner, Kraken and A go bot, and a number of third
party software’s with built-in compression and checksum. Cipher X-ray is able to identify various
cryptographic operations and recover cryptographic secrets that exist in memory
for only a few microseconds
No comments:
Post a Comment